📢 IRQL : un langage de requête CTI unifié en KQL pour l'analyse de sécurité
📝 ## 🔍 Contexte

Publié le 04/05/2026 sur GitHub (gist de Diana Damenova), cet article présente **IRQL (Incident Response Query Language)**, une bibliothèque de fonctions...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-05-irql-un-langage-de-requete-cti-unifie-en-kql-pour-l-analyse-de-securite/
🌐 source : https://gist.github.com/ddamenova/a24f3f012012affd017d6bf712f2dd02
#IRQL #KQL #Cyberveille

*Read it like an infomercial*

Are you tired of working with logs that contain arrays with multiple JSON like this?

Have you tried creating a new column with the value you want only to find out that this value has no fixed position in the array?

Now your problems are over! With this 5 line KQL snippet, written by a real human, you can finally have the peace of mind that all the fields are populated correctly and everything is neat inside a single JSON!

https://github.com/0x-cde/Threat-Hunting-with-KQL/blob/main/CodeSnippets/Converting-array-of-json-to-single-json.md

#kusto #kustoquery #kql #threathunting #threat_hunting #dfir #digitalforensics

After a suspicious service principal incident, one of the first triage questions is what else this identity can reach.

I published a new blog on how I used Microsoft Sentinel data federation and custom graphs to investigate hidden privilege paths without moving all of the supporting access context into the analytics tier.

In this example, I traced a rogue service principal to two high-value resources, a Key Vault and a storage account, using federated context that remained in ADLS Gen2.

My biggest takeaway is that a small number of well-structured context tables can go a long way in an investigation. That is not to say large-scale ingestion does not have its place, but when the goal is faster triage and clearer decision-making, the investigation question should help guide the design.

Microsoft is making it easier to work this way, and I’m excited to see where data federation and custom graphs go from here.

https://nineliveszerotrust.com/blog/sentinel-data-federation-custom-graphs/

#MicrosoftSentinel #MicrosoftSecurity #MicrosoftDefender #KQL #CloudSecurity

Blog alert!

This time, a way to handle arrays that only have one element in KQL. A follow-up to the previous blog on XML and JSON.

#MicrosoftFabric
#ADX
#Kusto
#KQL
#JSON
#XML
#DataEngineer

http://sqlreitse.com/2026/03/17/microsoft-realtime-intelligence-the-array-that-wasnt/

Blog alert!

A short one this time, on a nice find processen XML data in Realtime Intelligence.

#MicrosoftFabric
#RealtimeIntelligence
#XML
#Kusto
#KQL
#EventHouse

http://sqlreitse.com/2026/03/14/microsoft-fabric-realtime-intelligence-processing-xml-or-are-you/

Microsoft Defender for Endpoint Deep Dive

- Part 1: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-deep?r=6h4qin

- Part 2: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part

- Part 3: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-14d

- Part 4: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-dc3

- Part 5: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-8bb

- Part 6: https://cyberboo.substack.com/p/microsoft-defender-for-endpoint-part-259

#microsoft #defenderforendpoint #kql

🎙️ Avec Yoan Schinck sur le threat hunting en KQL!

Au menu:
• Workshop threat hunting dans Microsoft Sentinel
• Détection d'abus de comptes de service
• Comment créer un homelab avec juste 2 VM et des outils gratuits

Sa philosophie: maîtrisez les concepts, la syntaxe s'apprend ensuite.

🎧 Web: https://polysecure.ca/posts/episode-0x673.html#db0bb2c2
🎧 Spotify: https://open.spotify.com/episode/1jBpkTICSTl60b2T2AMyPA?si=UjbrTZYQSFygVHm68VAWjw
🎧 YouTube: https://youtu.be/xooV2tQ4dy8

#Cybersécurité #ThreatHunting #KQL #SOC

🕵️‍♂️ KQL is both a science and an art.

If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/

Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?

Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

How to Use Azure Monitor to Gain Insights and Ensure Application Health

In modern cloud environments, maintaining the health and performance of applications is critical. Azure Monitor provides a full-stack monitoring solution that enables organizations to track metrics, diagnose issues, and gain deep insights into their applications and infrastructure. #azuremonitor #CloudMonitoring #ContainerInsights #devops #kql #loganalytics #sentinel #siem #threatdetection

https://azuretracks.com/?p=2781