🚀 Exciting News and a Giveaway! 🚀 Announcing my new course: Advanced Hands-On KQL for Threat Hunting and Detection Engineering! 🎓✨ This course is designed to take you from zero to master, equipping you with cutting-edge skills to stay ahead in the cybersecurity game. Here’s what you can expect: 🔍 Advanced Time Series Anomaly Detection: Discover methods you’ve never seen before. 🔗 Attack Path & Execution Chain Detection with Process Mining: A novel approach to threat detection. 🌐 Attack Pattern Detection Using Graph Semantics: Start thinking in graphs and revolutionize your detection and investigation skills. And now, the exciting part! 🎁 I’m giving away 1 FREE seat in the course! To enter: 1️⃣ Follow @BluRavenSec 2️⃣ Like and repost this post 3️⃣ Comment why you want to join #KQL #Kusto #SIEM #MicrosoftSentinel #MicrosoftDefender #MicrosoftDefenderXDR #Defender #cybersecurity #KQLForSecurityAnalysts #ThreatHunting #DetectionEngineering #training #dfir #incidentresponse

@SecurityAura That's also why you get those IR cases 😁

Implementing a machine learning algorithm using #KQL 🤔

RT @svpino: Pandas is dying a slow, painful death. It's the world's most popular data library, but it's slow, and many libraries have sign…

RT @SecurePeacock: Today at WWHF @Wietze is dropping Invoke-ArgFuscator 👀

@DylanInfosec I just don't think there would be a use case where you would want to detect loading of an image multiple times. Maybe I'm wrong. 🤷‍♂️

@DylanInfosec I don't think it's necessary.

@godslittlemacro Yes, it's sufficient for blocking. GPO provides more flexibility.

@OliverRochford They don't even know basic data analysis, let alone data science.

@anton_chuvakin @SecurePeacock One of my favorite CTI talks/rants

RT @Wietze: #LOLBAS project update: Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what par…

@NathanMcNulty Is this the reason why we see empty device id in sign in events for a registered/joined device?

@NathanMcNulty Also, if I have a registered/joined device, does the device provide device identity for every single sign in to any app? If not, does CA ask the device to provide device identity which makes the devices sign in again with the device id?

@NathanMcNulty So, requiring a entra joined/registered or compliant device implicitly uses this filter for device then?

@NathanMcNulty What do you mean by filter for devices?

Detectable by Design? We keep failing on "shift left", "secure by design", and some other approaches to prevent malicious activities. How about "detectable by design" approach? It's certain that your product will fail on the prevention side. You could design your product in a way that makes it easy to detect malicious activities at least.