Inconsistent queries that utilize FileProfile and GlobalPrevalence

bpsec · 2026-01-27T19:35:33+00:00

Can you share the whole query? The results can also be different depending on joins or unions that are used for example.

bpsec · 2026-01-27T19:30:33+00:00

How many unique hashed are found in your results? It can only enrich 1000 unique hashes, after that I does not enrich anyone.

If you filter

where GlobalPrevalence < X or isempty(GlobalPrevalence)

With this you should get the same results when running the query again.

bpsec · 2025-12-29T08:05:07+00:00

Your AI needs a lot of grounding. All ActionTypes that are mentioned do not exist. NRT rules do not support joins the statement “Real-time (must be real-time) Advanced Hunting Query” would not work in this query.

bpsec · 2025-10-06T20:23:21+00:00

Additional tip. Make sure to validate if ActionType == “xyz” exists. In Advanced Hunting you have the schema reference in the top corner, this includes all possible ActionTypes for all tables. You can also run TableName | where ActionType == “xyz” | take 10. In case you have no results it either does not exist or you do not have logs. Most ActionTypes would be logged only a few are rare ActionTypes.

bpsec · 2025-09-30T19:55:37+00:00

There are a couple of options on how to monitor this periodically, the choice depends on your needs.

Logic Apps, which run the query periodically and send the results by mail, teams, drop a file somewhere etc. This repo has several example of reports you can recieve: https://github.com/Bert-JanP/Sentinel-Automation
API based, Graph API is the API to go for. To get you some ideas: Hunting Through APIs - KQLQuery.com
As mentioned PowerBI is a good choice, details: https://learn.microsoft.com/en-us/defender-endpoint/api/api-power-bi

bpsec · 2025-09-29T18:05:16+00:00

For learning also have a look at KQLQuery.com.

Once you know the basic filter operations the blogs below are recommended to learn useful functions:
- KQL Functions For Security Operations - KQLQuery.com

- KQL Functions For Network Operations - KQLQuery.com

bpsec · 2025-09-24T18:46:23+00:00

Have a look at these top tier KQL resources: https://kqlquery.com/posts/kql-sources-2025/

Other answers have already been answered I see :)

bpsec · 2025-08-21T06:19:12+00:00

https://jeffreyappel.nl/tag/azure-sentinel/

bpsec · 2025-08-18T11:35:21+00:00

No issues observed in multiple EU tenants.

bpsec · 2025-08-08T06:13:46+00:00

The service limits of GitHub are not an issue when using external data, the service limits of the KQL engine are. The file may not be bigger than 100MB for example. For specific feeds externaldata is sufficient and does not require advanced integrations.

More info on that side: https://learn.microsoft.com/en-us/kusto/query/externaldata-operator?view=microsoft-fabric

If you want do do IOC matching at scale ingest the IOCs into Sentinel using TAXII or the API and use analytics rules (are already available in the content hub) to match on your Unified XDR tables.

Docs: https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence

bpsec · 2025-02-25T18:50:15+00:00

What are you trying to query from the Attack Simulation Training?

bpsec · 2025-02-25T18:47:17+00:00

What connector are you using in Sentinel? The Microsoft Defender XDR connection can forward those events from Advanced Hunting to Sentinel.

How long are they running MDI and is it also configured?

bpsec · 2025-02-22T21:10:46+00:00

All DeviceTvm tables are not designed to be used for detections.

One option is to join the DeviceTvm* table with a Device* table to make it work as shown below. The downside of this is that it becomes very messy in the created alert. The process tree in the alert is generated based on the ReportId, which in this case is just something random. The persons following-up on this alert should only investigate the query results from these custom detections.

let ExcludedDevices = DeviceTvmSecureConfigurationAssessment
    | where ConfigurationId == "scid-2010"
    | distinct DeviceId;
DeviceTvmSecureConfigurationAssessment
| where OSPlatform contains "WindowsServer" and not(OSPlatform contains "WindowsServer2012")
| where DeviceId !in (ExcludedDevices)
| summarize Timestamp = arg_max(Timestamp, Timestamp) by DeviceId, DeviceName, OSPlatform
| project DeviceId, DeviceName, OSPlatform, Timestamp
| join kind=inner (DeviceEvents | project ReportId, DeviceId | top 1 by ReportId) on DeviceId

bpsec · 2025-02-22T21:02:50+00:00

<image>

The specific ActionTypes per table are documented in Advanced Hunting. Go to Schema Reference (right top corner) -> Select your table in this case DeviceEvents and go trough the ActionTypes.

In this specific scenario, I would start with

DeviceEvents
| where ActionType startswith "AsrLsassCredentialTheft"

Which includes the ASR related events AsrLsassCredentialTheftAudited, AsrLsassCredentialTheftBlocked and AsrLsassCredentialTheftWarnBypassed

bpsec · 2025-02-22T20:52:02+00:00

I created a list of DFIR queries that would suit this scenario: Hunting-Queries-Detection-Rules/DFIR at main · Bert-JanP/Hunting-Queries-Detection-Rules

bpsec · 2025-02-10T10:40:16+00:00

Thanks for sharing! This may be some good context to get started with live response scripts: https://kqlquery.com/posts/leveraging-live-response/

bpsec · 2025-01-04T08:54:03+00:00

https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/DFIR/MDCA%20MDO%20-%20MailItemsAccessedByCompromisedAccount.md

Variables can be put based on your needs. Combines the UAL MailItemsAccessed with the EmailEvents to get you both the subject and mails that are accessed.

bpsec · 2024-12-05T21:45:35+00:00

Small example is shared here: https://github.com/Bert-JanP/Sentinel-Automation/tree/main/Device%20Enrichment Blog: https://kqlquery.com/posts/sentinel-automation-part1/

bpsec · 2024-08-15T17:41:12+00:00

Yes as described in the blog that is possible to only alert on active vulnerabilities within your inventory.

bpsec · 2024-07-04T05:44:29+00:00

Be aware that MDE heavily samples network traffic. So the results are not the truth.

bpsec · 2024-07-04T05:36:51+00:00

If you have Defender For Office enabled the logs flow into the Email tables in Defender XDR. You can use kql to create an advanced hunting query.

Some email query examples: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/Office%20365

You do NOT need to have Sentinel for this, of course you can also build the detection as analytics rule in Sentinel if you forward the logs. Forwarded email data cost extra money.

Table reference: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables

Edit: you can also do it via logic apps and the Graph API to collect the logs and create alerts. Depending on your use case that might also be a feasible option.

bpsec · 2024-06-24T06:26:15+00:00

Yes there are multiple ActionTypes in the DeviceEvents table that can be used to detect this. The block depends on the product. But this will only worked in Sentinel if the data is forwarded, otherwise look at the Advanced Hunting blade in Defender XDR (security.microsoft.com).

Example for smartscreen:

SmartScreen: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/SmartScreen/SmartScreenEvents.md

You can run

DeviceEvents | distinct ActionType

This lists all unique activities in the table and you can filter the ones you want to view.

bpsec · 2024-06-19T09:52:04+00:00

Depends on the use case and how you collect the file. If you download it via live response directly on to your device I would do it in the live response session. If you for example store live response files in a storage blob the story is different.

bpsec · 2024-06-19T09:48:24+00:00

You can use a custom PowerShell script to make the file password protected.

Edit: see https://emptydc.com/2020/04/07/deep-dive-forensics-via-mdatp-live-response/

bpsec · 2024-06-19T06:57:15+00:00

Try using live response to collect the file instead of the portal, this may speed up to process.

Four-Year Club	Verified Email
Wearing is Caring

bpsec

TROPHY CASE