• Kql Detective Part 2

    Posted on April 21, 2023

    Recap: In my last post, we leveraged the awesome power of KQL to investigate the drop in billable LogManagement ingest volume illustrated below (left side). During this investigation, we noticed a sudden increase in Security ingest volume toward the end of March. In this post, we’re going to track down... [Read More]

  • Kql Detective Part 1

    Posted on April 19, 2023

    Introduction and Use Case: So you’re a new kid on the SOC and Accounting is freaking out about a massive unexpected increase in their Sentinel ingest cost (or a sudden decrease, both are covered in detail) - and demanding an explanation. This is a step-by-step guide to leveraging KQL for... [Read More]

  • Anatomy Of A Kql Query Part 2

    Posted on April 13, 2023

    Introduction and Use Case: Continuing from a previous post, today we’ll dissect even more simple but powerful KQL queries that are essential to keep in your threat hunting utility belt. Recap: In my last post, we broke down some helpful, basic KQL queries and syntax: Defining table to query against... [Read More]

  • Anatomy Of A Kql Query Part 1

    Posted on April 6, 2023

    Introduction and Use Case: Whether you’re new on the SOC or a seasoned Sentinel Ninja, here are some basic queries I keep coming back to when investigating anything odd about my ingest patterns (and thus my overall cost). Query Breakdown So how do you know something is “odd” with your... [Read More]