Kusto Insights - September Update

and

Oct 07, 2025

Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.

Query of the Month

Hunt domains with Seamless SSO enabled in Entra ID Connect

By: Sergio Albea [GitHub, LinkedIn]

DeviceProcessEvents
|where isnotempty(AccountUpn) and FileName in~ (”chrome.exe”,”msedge.exe”,”firefox.exe”)
| extend Navigation_Mode= iif(ProcessCommandLine has_any(”--incognito”,”--inprivate”,”-private”,”-private-window”),”🚨Private”,”Normal”)
| join kind=inner (IdentityInfo) on $left.AccountUpn == $right.AccountUpn
| summarize Navigation_Mode=make_set(Navigation_Mode),make_set(AccountUpn),Distinct_Upn=dcount(AccountUpn),AssignedRoles=make_set(AssignedRoles),Potential_Case=dcount(Navigation_Mode) by DeviceName
| where Potential_Case > 1 and Distinct_Upn > 1 and (tostring(AssignedRoles) != “[]”)
//| where tostring(AssignedRoles) contains “admin”

Source: GitHub

News from the Community

We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!

Keeping privacy when running queries: how to obfuscate your KQL results - While KQL empowers Log Analytics and Advanced Hunting users to extract critical insights from relevant data sets, they are often met with requirements dictating results sharing. It is not always about detections and hunting, where KQL queries are operationalized within the cybersecurity team. That being said, query results often contain sensitive data, raising privacy and compliance concerns under regulations like GDPR. There are cases where it might be required to share live results through a call, or share results partially. This blog elaborates obfuscation techniques, whether it is for hashing columns or for any other reason that might be troubling you.

Using Advanced KQL to Audit Attack Surface Reduction Rules - Attack Surface Reduction (ASR) rules are a great way to harden an environment. They block well-known attack vectors that malware tends to use. Organizations with attack surface reduction rules enabled in a block mode are better protected against attacks such as ransomware.

Moving ASR rules from audit mode into a block can be overwhelming, as an audit can produce a lot of data. Making sense of this data is tricky and requires drilling through to find out what is important and how to use the data to create exclusions.

Within this article, I will walk through the different ways of verifying the audit results, different types of exclusions, and providing an advanced KQL that surfaces detailed information.

Updates and Blog posts from Microsoft

Proactive Security with Continuous Threat Exposure Management (CTEM) - KQL is powering real-time security visibility. You can now query exposure data using KQL to uncover risky assets, weak configurations, and potential attack paths straight from the exposure graph. It’s a great example of KQL moving beyond logs into proactive security analytics. If you’re already using Kusto, this is your chance to apply those skills to threat validation and exposure reduction at scale.

Microsoft Sentinel data lake is now generally available - Microsoft Sentinel Data Lake is now generally available, bringing unified long-term storage for all your security data. You can now run multi-workspace KQL queries, schedule KQL jobs, and use Notebooks with IntelliSense directly over that data. This makes large-scale threat hunting and historical investigations much smoother. If you’ve ever felt limited by retention caps or fragmented workspaces, this update finally lets your KQL run across everything in one place.

Announcing Microsoft Sentinel Model Context Protocol (MCP) server – Public Preview - Microsoft just launched the Sentinel MCP (Model Context Protocol) server in public preview, a managed service that lets AI agents access your Sentinel data lake and graph context using natural language. This means agents can run queries, explore relationships, and trigger actions without you writing every KQL line yourself. For Kusto users, it’s a big step toward making security data “agent-ready” and easier to automate. It opens the door to smarter, more conversational ways to query and analyze your telemetry.

Latest Queries from the Community

Check out some of the latest queries added to KQLSearch.com: