Auditing Attack Surface Reduction (ASR) rules can generate overwhelming data. In this blog, we walk through the different ways of verifying the audit results, different types of exclusions, and provide an advanced KQL that surfaces detailed information.
In this installment of the Graph Activity Log series, we uncover how attackers exploit OAuth app consent to silently access Microsoft 365 data. Using targeted KQL queries and PowerShell automation, this blog shows how to detect, investigate, and respond to these stealthy identity-based threats.
In this installment of our Graph Activity Log series, we’ll provide a practical playbook for using the Graph Activity Log and Kusto Query Language (KQL) to hunt for indicators of document exfiltration.
In this article, we guide you through the process of using the Graph Activity Log and Kusto Query Language (KQL) to hunt for common indicators of mailbox compromise, with useful tips along the way.
Defender for Endpoint gathers system information to support operation and detection needs. We can then leverage that data to build a custom report to show the deployment status. This blog walks through that process using KQL.
In this episode of Practical Sentinel, Thijs Lecomte discusses how to create some basic KQL queries to track MFA usage.
Microsoft 365 security is a big topic. Focus is important when it comes to getting things done. In this article, we suggest five areas that administrators could work on during 2023 to improve the security posture of their tenant. You might already have established full control over some of these areas. Even if you have, it's still good to consider if you can improve security.
Kusto Query Language, or KQL for short, is omnipresent in the Microsoft world and is used in different product stacks. Like any language, KQL can be challenging to understand and know where to start. This article is intended to help newcomers to get started.
While Microsoft Sentinel is certainly an excellent product, many organizations lack clear understanding around Microsoft 365 Defender and if it also provides a way to aggregate multiple security products. Microsoft MVP Thijs Lecomte explores the differentiators in this article: having a bird's eye view across security products, automation, third-party data sources, and more importantly - why you should enable it.
