Sergio Albea – Medium

Sergio Albea

Pinned

Published in

Threat Hunting via Autonomous System Numbers (ASN)

Nowadays, blocking specific IPs or domains after they start malicious activities, is becoming less effective due the ease of accessing…

Feb 23

Threat Hunting via Autonomous System Numbers (ASN)

Feb 23

Published in

Threat Hunting over internal Devices via KQL Queries

This time, I want to dive into one of the phases of an intrusion: when attackers quietly pivot across internal systems that many still…

Oct 30

Threat Hunting over internal Devices via KQL Queries

Oct 30

Published in

Detecting Tampering of Windows Security Audit Policy

Recently, I finished reading a book I strongly recommend to anyone working in Threat Hunting, BTFM (Blue Team Field Manual).

Oct 24

Detecting Tampering of Windows Security Audit Policy

Oct 24

Published in

Identifying File Exfiltration via RDP Sessions with KQL Queries (Dia de los Muertos Special)

By a twist of fate, about 10 years ago, Mexico became a very big part of my life — and I could even say, my second family (or perhaps my…

Oct 14

Identifying File Exfiltration via RDP Sessions with KQL Queries (Dia de los Muertos Special)

Oct 14

Published in

Use KQL to Surface Non-Recommended TLS Parameters (IANA-based)

Time ago, I developed a group of KQL queries to flag network negotiations tagged as non-recommended TLS curves and cipher suites based on…

Sep 22

Use KQL to Surface Non-Recommended TLS Parameters (IANA-based)

Sep 22

Published in

Threat Hunting sessions via AuthenticationProcessingDetails on AADSignInEventsBeta

When digging into sign-in activity in Microsoft Entra ID, one of the available table is AADSignInEventsBeta. Buried inside it, the field…

Sep 16

Threat Hunting sessions via AuthenticationProcessingDetails on AADSignInEventsBeta

Sep 16

Published in

The importance of match ratio using Threat Inteligence Feeds (combined with KQL Collectors)

Nowadays, we can find hundreds of Threat Intelligence feeds available across the internet. Most of them focus on the typical indicators…

Sep 8

The importance of match ratio using Threat Inteligence Feeds (combined with KQL Collectors)

Sep 8

Published in

Monitor Event Logs & Trigger DefenderXDR Alerts Without Ingesting Data

One of the biggest challenges when working with solutions like Microsoft Sentinel/DefenderXDR is deciding which data is worth collecting —…

Aug 26

Monitor Event Logs & Trigger DefenderXDR Alerts Without Ingesting Data

Aug 26

Published in

Protecting the Evidence in Real-Time with KQL Queries

A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and…

Jul 24

Protecting the Evidence in Real-Time with KQL Queries

Jul 24

Published in

Identifying Ransomware Final Stage activities with KQL Queries

When ransomware strikes, it doesn’t just encrypt files — it often wraps up with a series of stealthy moves meant to lock you out, cover…

Jul 2

Identifying Ransomware Final Stage activities with KQL Queries

Jul 2

Sergio Albea

Sergio Albea

From 🇪🇸 Barcelona to Switzerland 🇨🇭, Microsoft MVP working on SWITCH (Swiss NREN), as threat analyst and response. linkedin.com/in/sergioalbea/

Following

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech