is live! 🛡️ I thought about starting a blog page for a while now, the first steps have been taken. In the next period, I will start uploading more #KQL and security related content.

The guidance has been updated with a patch and new KQL hunting query.

Hunting on the child processes of w3wp.exe (IIS process) may also by valid as per @andrewdanis’s comment.

RT @msftsecresponse: Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-20….

Sorry to disturb your weekend. There is a SharePoint 0day actively abused. Do not only focus on the rule of MSRC for hunting, other blogs also share different files and folders in use!. Additional info:.MSRC: Blog by @eyesecurity_:

RT @SecurityAura: Interesting technique and developing I would say. 2 quick #KQL queries out for #MicrosoftSentinel and #MDE if you want to….

RT @WesSec_: Mercedes will let you onboard your car in Intune? This is the stupidest thing I've heard this week.

RT @RobbeVdDaele: 🔎 Detect Direct Send phishing emails. Below you can find a query that can help you find phishing emails being send using….

New Blog: Hunting Through APIs - Logic App Edition. Logic Apps allow organizations to automate processes easily. This blog discusses how KQL can be used in Logic Apps through the Graph API, Azure Monitor API and Defender ATP API to automate SOC processes.

RT @LouisMastelinck: Fix MDE selective isolation with Isolation Exclusions rules and allow Teams & Outlook communication again. 5min work….

GraphApiAuditEvents is now in Public Preview. The data is natively ingested into Unified XDR. This may become the alternative for MicrosoftGraphActivityLogs, as they are costly to ingest but very valuable for incident response.

Drafted some #KQL to hunt for filefix. Suspicious Explorer Child Process: Suspicious Browser Child Process (may want to add some custom exclusion or match specific commandline parameters)

Sometimes it's good to read junk mail and laugh. ✅ Cobalt Strike Beacon .✅ GDPR Buzzword .✅ Mentioning that you are an ATP hacking group.✅ Lateral movement from cloud email to all my local devices

RT @mc2mcbe: In the third session of the evening @BertJanCyber is talking about "Attack Disruption and Beyond". #MC2MC #MC2MCLive #Communit….

We have some new logs again: DisruptionAndResponseEvents

RT @ErikMoreau: 3rd session of the evening @mc2mcbe by @BertJanCyber on ‘Attack Disruption and Beyond’ #MVPBuzz #Security #community https:….

RT @mc2mcbe: We’re thrilled to welcome @BertJanCyber as a speaker at MC2MC Live: Voyage to the Edge of the Cloud!🚀 . 📅 Thursday, June 26th….

Sunday ride 🏍️🇩🇪

It's time to prepare for my session at @mc2mcbe, titled Attack Disruption and Beyond. Hope to see you in Belgium on June 26th!

New Blog: Hunting Through APIs. In today’s blog, we’re diving into the world of hunting with #KQL through APIs. The blog discusses the advantages, limitations, permissions and scopes of the Graph API, Azure Monitor API, and Defender ATP API.

Two new advanced hunting tables are coming soon! .FileMaliciousContentInfo & CampaignInfo. MC1088729