WELCOME TO CRONINITY

KQL Numeric and Comparison Operators KQL provides a standard set of arithmetic and comparison operators used for calculations and filtering: Arithmetic Operators (return numeric values) + Addition - Subtraction * Multiplication / Division % Modulo (remainder) These are commonly used for: Rate calculations (e.g., bytes/sec) Data normalization Threshold comparisons Comparison & Membership Operators (return boolean values) > Greater than < Less than >= Greater tha

Project Project lets you change values on output. Other options with project are 'project-away', 'project-keep', 'project-rename' (allows you to map an original field to its normalized name. this operator ensures that the field is still managed as a physical field and that handling the field is more performant)., 'project-reorder'. | project FreeGB=CounterValue / 1024 Other project ideas: | project <NewColumnName1> = <ExistingColumnName1>, <NewColumnName2> = <ExistingColumn

Diving into Scalars & String Predicates in KQL Now that we’ve covered how to view table schemas, perform basic searches, and filter logs by time, it’s time to go deeper into scalar operations and string matching in Kusto Query Language (KQL), key building blocks for powerful filtering. Types of KQL Statements Tabular Expressions – Return result sets (e.g., rows/columns from tables). Scalar Expressions – Return single values used in filters, projections, calculations. What Are

Threat Hunting SOP: Standardized Microsoft KQL Query Framework 1. Purpose This SOP establishes a standardized framework for developing, documenting, and maintaining Microsoft KQL queries used for Threat Hunting and Detection Engineering. The objective is to ensure consistency, repeatability, and operational effectiveness across all threat hunting activities. 2. Scope This standard applies to all: Threat Hunting queries Detection Engineering queries Microsoft Sentinel and Defe

Detection engineering is the strategic process of designing, developing, and continuously improving security detections to identify and respond to cyber threats effectively. It involves crafting high-fidelity detection rules, signatures, and behavioral analytics tailored to an organization's threat landscape. Key Components of Detection Engineering: Analyze threats and identify detection gaps – Leveraging threat intelligence to anticipate and detect emerging attack techniques

Detection Rollout Phase Detection rollout is a critical but often overlooked stage in the detection engineering lifecycle. Regardless of how well a detection is designed, tested, or documented, it provides no value unless it is properly deployed into the environment. In many organizations, detection rollouts are not standardized. This gap is commonly caused by overreliance on vendor-supplied detections (e.g., from SIEM platforms, EDR/XDR platforms), a lack of dedicated detect

DHS CISA SCuBA (Secure Cloud Business Applications) DHS CISA SCuBA (Secure Cloud Business Applications) is a security assessment framework and toolset developed by Cybersecurity and Infrastructure Security Agency to evaluate the security posture of cloud-based SaaS environments, primarily Microsoft 365 and similar platforms. At a technical level, SCuBA provides: Baseline security configuration checks aligned to federal guidance (e.g., logging, identity controls, sharing setti

Threat Hunt Mission Organization in SIEM/XDR Standard Operating Procedure (SOP) 1. Purpose This Standard Operating Procedure (SOP) defines the standards, steps, and required configurations for organizing and executing Threat Hunt missions within Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) platforms. It establishes a consistent, repeatable methodology for structuring hunt workspaces, managing queries, capturing findings, and prod

Threat Hunt Mission Reporting SOP 1. Purpose This Standard Operating Procedure (SOP) defines the requirements, structure, and standards for producing Threat Hunt Mission Reports. A Threat Hunt Mission Report is the formal deliverable published upon the completion of every Threat Hunt mission. It provides stakeholders with a comprehensive record of the hunt objectives, methodology, findings, indicators of compromise, detection outputs, and recommendations for improving the or

Threat Hunt Mission Execution SOP 1. Purpose This Standard Operating Procedure (SOP) establishes the standardized process, roles, responsibilities, and operational expectations governing the execution phase of Cyber Threat Hunt missions. It is designed to ensure consistency, analytical rigor, and operational effectiveness across all threat hunting activities conducted by the Security Operations Center (SOC) Threat Hunt team. 2. Scope This SOP applies to all personnel particip

Threat Hunt Program Training - Standard Operating Procedure (SOP) 1. Purpose This Standard Operating Procedure (SOP) establishes the training framework for personnel assigned to the Threat Hunting program. The objective is to ensure that threat hunters develop the technical, analytical, and operational competencies required to proactively identify adversary activity within the organization’s environment. This SOP defines: Required threat hunting skill domains Training phases