DevSecOpsDad

Welcome back to KQL Toolbox 👋 So now comes the unavoidable next question: Are our detections actually aligned to how attackers operate — and are we getting faster at shutting them down? This is where many SOCs stall out… They collect alerts, map techniques, and celebrate coverage — but never... [Read More]

Welcome back to KQL Toolbox 👋 Last week in KQL Toolbox #5, we went full threat-hunter mode — tracking phishing and malware campaigns across domains, senders, and payload patterns. [Read More]

Welcome back to KQL Toolbox 👋 In KQL Toolbox #1, we learned how to measure Microsoft Sentinel ingest and translate it into real operational dollars. In KQL Toolbox #2, we identified which data sources were driving that cost. In KQL Toolbox #3, we drilled all the way down to specific... [Read More]

Welcome back to KQL Toolbox 👋 In KQL Toolbox #1, we learned how to measure Microsoft Sentinel ingest and translate it into real dollars. In KQL Toolbox #2, we identified which data sources were driving that cost. And in KQL Toolbox #3, we drilled all the way down to specific... [Read More]

Welcome back to KQL Toolbox 👋 Welcome back to the DevSecOpsDad KQL Toolbox series! In the last entry KQL Toolbox #2, we zoomed in on log source cost drivers—using _IsBillable and _BilledSize to identify which tables, severities, and Event IDs were burning the most money in Microsoft Sentinel. [Read More]