Published v0.3 of my KQL cheat sheet - updated all queries to work again with data in the LA Demo portal (except one query due to a lack of needed example data) - updated a few KQL function links - textual improvements Get your copy here: github.com/marcusbakker/K… #KQL #Sentinel

ICYMI: Jaron Bradley joined @sechubb to discuss tips for finding persistence mechanisms and malicious processes in enterprise #macOS devices Listen here 👉🏾 sans.org/u/1mOS #BlueprintPodcast

TrueTree has been updated with some major code cleanup, better readability, and a --timeline mode that will simply print processes in order of their creation time. themittenmac.com/tools/

There are few jams I’ll have to wait for them to finish. If all you know of The Prodigy is their two main stream hits you’re seriously missing out. open.spotify.com/track/2RcKI41i…

You can now use MQL to detect HTML Smuggling attacks delivered via email body links. Detect+block+hunt for these techniques, recently observed to deliver Qakbot and other malware: - URL->Encrypted zip->ISO - URL->Zip->ISO->LNK - URL->Zip->IMG->VBS - and more How it works:

My team recently converted our entire detection library to #SIGMA and created a wiki around it! We are an MSSP & platform agnostic, meaning we have a version of a rule for pretty much every SIEM & EDR platform there is, and... 🧵1/3 Img: Thomas Roccia 🤘

This is a great thread. As a hiring manager I measure time as an IR consultant or at a decent MSSP/MDR provider in dog years… it isn’t a one for one experience. You will see, analyze, and investigate so much more in your X years in those environments vs. one company.

Unlikely, but if you are a PA based ex-twitter employee I can recommend an outstanding firm I’ve work with in the past.

Trail Days Online is for those who can’t afford the time or travel to attend an in-person event to celebrate the beautiful magic of spending time outdoors pursuing their passion for wilderness. backpackinglight.com/bpl-trail-days…

I took a break from here after my beloved Tweetbot was killed. The user experience using the native client and the web are exponential worse but here I am <fingers crossed> it doesn't get worse.

what’s missing from this discussion is that different orgs have different requirements, and there are multiple levels of maturity for security visibility. 🧵

Defenders know their environments better than anyone, but they haven't been able to truly capitalize on that knowledge in email — until today. Sublime Platform is now generally available. Deploy in minutes using Docker, for free. sublime.security/blog/introduci…

I’ve been a defender most of my career and there are few tools that fundamentally changed the game for me (in chronological order): Netwitness Investigator, CrowdStrike, Splunk, Elastic Search. Last year I added Sublime to that list.

Last month Jack invited me on to the Detection at Scale podcast. I had a great time talking about my experiences building highly effective detection and response teams and operating at scale. open.spotify.com/episode/6fI401…

Our friends at SentinelOne were kind enough to hook us up and help us out. We have the opportunity to gift a talented researcher a valuable prize whereas without them the best we could do is a $5 coupon to Arbys. Submit your unique and novel research to s1.ai/vx-s1

Last year Jaron did a private training for my whole team. If you’re currently consuming MacOS telemetry and looking for ways to use it, like investigations or detection ideas there’s nothing else like this course.

I’m hiring in EMEA: lifeatspotify.com/jobs/senior-se…