LLM Hunting in a MDE Environment KQL query to scan for local LLM installation in a MDE environment.

@SecurityAura 💯Jackpot! 😄 You got it all right!👍

@ShanHolo Yes it's KQL for both Sentinel and DefenderXDR

To detect command-line obfuscation in DefenderXDR, employ the tolower and parse_command_line KQL commands on the Schema ProcessCommandLine field. This approach allows you to use has_any to match against an array of commands or parameters that your detection rule is targeting.

AI Models on Azure - Threat Hunting 😅 Curious to know how many AI Model runs on Azure including our "beloved" DeepSeek R1. Take a pick ... 1. 258 2. 589 3. 1078 Answer revealed in a day ... no cheating!

watchTowr Blog: KQL Code:

*𝗡𝗘𝗪* 𝗘𝗻𝘁𝗿𝗮 𝗔𝗜 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗼𝗿 𝗥𝗼𝗹𝗲 M365 Copilot Organization, have you assigned your Copilot admin this role so that he or she is able to manage all aspects of Microsoft 365 Copilot. #Cybersecurity #GenerativeAI #CopilotAdmin

@HeyRadu

Sysinternals tools are powerful but vulnerable to DLL injection attacks. To help defenders secure their environment, I created a DefenderXDR custom detection to spot potential abuse.🫡

@w_b_lay I uses zscaler, it does the same any newly registered domains within 30 days are auto blocked. The block at Tenant level is more for MDO which I am using.