WELCOME TO CRONINITY

Working with Time in KQL Handling time effectively in Kusto Query Language (KQL) is essential for accurate analysis, efficient data management, and optimized query performance, especially when working in environments like Microsoft Sentinel or Microsoft Defender. Time Filtering Options Most logging platforms, including Microsoft Sentinel, provide a GUI-based datetime picker to filter logs within a specific timeframe. However, you can override the GUI time filter by specifying

Understanding KQL in the Microsoft Data Ecosystem In Microsoft's data ecosystem, KQL stands for Kusto Query Language. The name "Kusto" is a playful nod to Jacques Cousteau, the renowned deep-sea explorer. Just as Cousteau explored the depths of the oceans, KQL enables users to explore the depths of their data with power and precision. It’s worth noting that KQL is sometimes confused with another similarly named language: Kibana Query Language, used for querying data in Elasti

Digital Investigations: Sentinel Log Export and Chain of Custody Overview Digital investigations increasingly rely on centralized log platforms such as Microsoft Sentinel to support forensic analysis. With this shift comes the requirement to maintain strict chain of custody for all exported data to ensure integrity, traceability, and admissibility. There are two primary approaches for exporting Sentinel data in support of investigations: Query-Based Export Manual Automated Di

Detection Testing & Validation Detection Measurement Concepts Understanding how to evaluate a detection's performance is essential for tuning rules, prioritizing engineering efforts, and managing SOC efficiency. Key measurement concepts include: 1. Precision (a.k.a. True Positive Rate / Confidence): This measures how many of the triggered alerts are actually true positives. Formula: True Positives / (True Positives + False Positives) High precision means minimal false positi

Identifying and Tracking Detections An essential part of improving your detection capabilities is establishing a structured approach to inventory and track your detection rules. The first step is determining where and how detections will be tracked. However, several key considerations must be taken into account: Visibility into Detections – Many cybersecurity tools operate proprietary detection engines, which are not publicly exposed. Tracking every individual rule within too

Application log collection to Sentinel SIEM in a Microsoft defender environment Microsoft Defender for Endpoint (MDE) is a highly capable EDR platform that, when deployed to workstations and servers, collects extensive telemetry including process creation, network connections, file activity, registry changes, authentication events, and security logs. Out of the box, it provides deep endpoint visibility, functionally similar to an enhanced, enterprise-grade Sysmon. In many cas

Threat Hunting Frameworks Threat hunting is a proactive cybersecurity discipline that requires structure, strategy, and context. Two of the most popular threat hunting frameworks are PEAK and TaHiTI, with the MITRE ATT&CK framework playing a foundational role across all threat hunting efforts. PEAK stands for Prepare, Execute, and Act with Knowledge . TaHiTI stands for Targeted Hunting Integrating Threat Intelligence . MITRE ATT&CK, while not a hunting framework per se, is a

Threat Hunting & Cyber Threat Intelligence (CTI) - Standard Operating Procedure (SOP) 1. Purpose This Standard Operating Procedure (SOP) defines the processes for integrating Cyber Threat Intelligence (CTI) into Threat Hunting missions. The objective is to ensure threat hunting activities are informed by relevant intelligence, structured investigative methodologies, and standardized intelligence collection and analysis practices. Effective integration of CTI into threat hunti

Enhanced Monitoring Overview In environments using Microsoft Defender XDR and Microsoft Sentinel, there are situations where enhanced monitoring is required beyond normal security operations. This article outlines several enhanced monitoring approaches and explains the nuances associated with each. The starting point is understanding the steady-state security monitoring model in an environment where Defender XDR and Sentinel are integrated. In this architecture, detections ar

What is yara? YARA is an open-source, cross-platform tool used by malware researchers and security analysts to identify, classify, and detect malware samples based on textual or binary patterns. Often described as a "Swiss Army knife" for threat hunting, YARA operates by matching specific rules, sets of strings and Boolean conditions, against files or running processes, enabling the identification of malware families. Yara is maintained by VirusTotal. Ways yara can be implem