https://www.verboon.info/tags/kql/Recent content in KQL on Anything About ITHugoen-usSat, 06 Dec 2025 12:27:02 +0000https://www.verboon.info/2025/12/exploring-identityaccountinfo-building-a-kql-query-to-assess-identity-password-security-posture/Sat, 06 Dec 2025 12:27:02 +0000https://www.verboon.info/2025/12/exploring-identityaccountinfo-building-a-kql-query-to-assess-identity-password-security-posture/<p>Recently Microsoft Defender XDR introduced a new table called <a href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-identityaccountinfo-table">IdentityAccountInfo</a>, and this one immediately caught my attention. It brings several interesting attributes into Advanced Hunting, including <code>LastPasswordChangeTime</code> and even the sensitivity classification of an identity.</p> <p>Naturally, my first thought was: this is perfect material for some hunting logic, so let&rsquo;s build a KQL query out of it.</p> <p>Why am I excited about this? Because it finally allows us to query identity hygiene data straight from Defender. No external inventory dumps, no AD scripting, just KQL.</p>https://www.verboon.info/2025/07/shedding-light-on-dormant-sensitive-accounts/Tue, 08 Jul 2025 15:34:54 +0000https://www.verboon.info/2025/07/shedding-light-on-dormant-sensitive-accounts/<p>Dormant sensitive accounts are a high-risk identity exposure. In Microsoft Defender XDR, the recommendation <strong>Remove dormant accounts from sensitive groups</strong> helps surface these accounts, including whether they are inactive, disabled, or have expired credentials.</p> <p> <img src="images/shedding-light-on-dormant-sensitive-accounts-01.png" alt=""> </p> <p>You can export the detected entities, but the export often contains limited context. In many cases, you only get entity names or SID values, which makes remediation harder when you need ownership and organizational details.</p> <p> <img src="images/shedding-light-on-dormant-sensitive-accounts-02.png" alt=""> </p> <p>A practical approach is to use the SID values to enrich the result set with identity attributes from <code>IdentityInfo</code>. You can quickly build a SID variable list using KustoVars, then query Defender XDR for additional context.</p>https://www.verboon.info/2022/11/users-can-create-azuread-tenants/Tue, 22 Nov 2022 22:13:09 +0000https://www.verboon.info/2022/11/users-can-create-azuread-tenants/<p>Hello there,</p> <p>In this blog post we look at a setting within the Azure AD portal: &ldquo;Users can create Azure AD tenants&rdquo;. Unfortunately, this setting is enabled by default. Most organizations will probably want to turn this off. You can find it in the Azure AD portal under Settings &gt; Users &gt; User settings &gt; Tenant creation.</p> <p> <img src="images/112222_2202_Userscancre1.png" alt=""> </p> <p><code>Yes</code> allows default users to create Azure AD tenants. <code>No</code> allows only users with the Global Administrator or Tenant Creator roles to create Azure AD tenants. Anyone who creates a tenant becomes the Global Administrator for that tenant.</p>https://www.verboon.info/2020/07/generating-advanced-hunting-queries-with-powershell/Fri, 10 Jul 2020 23:21:46 +0000https://www.verboon.info/2020/07/generating-advanced-hunting-queries-with-powershell/<p>I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below</p> <pre tabindex="0"><code class="language-kql" data-lang="kql">// Find all machines running a given Powersehll cmdlet. let powershellCommandName = &#34;Invoke-RickAscii&#34;; DeviceEvents | where ActionType == &#34;PowerShellCommand&#34; | where AdditionalFields contains powershellCommandName </code></pre><p>But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below function can do the following:</p>