DevSecOpsDad

Welcome back to KQL Toolbox 👋 In KQL Toolbox #1, we learned how to measure Microsoft Sentinel ingest and translate it into real dollars. In KQL Toolbox #2, we identified which data sources were driving that cost. And in KQL Toolbox #3, we drilled all the way down to specific... [Read More]

Welcome back to KQL Toolbox 👋 Welcome back to the DevSecOpsDad KQL Toolbox series! In the last entry KQL Toolbox #2, we zoomed in on log source cost drivers—using _IsBillable and _BilledSize to identify which tables, severities, and Event IDs were burning the most money in Microsoft Sentinel. [Read More]

Welcome back to KQL Toolbox 👋 In the last KQL Toolbox, we zoomed out and looked at billable ingest trends over time—how many GiB per day you’re ingesting, and roughly how much that’s costing you in Microsoft Sentinel. This time, we’re zooming in. [Read More]

KQL Toolbox is officially live! As part of this new KQL Toolbox series, I bring you practical, reusable KQL snippets straight from the trenches of real-world Microsoft Sentinel work. Think of it as your regular “KQL vitamin:” small dose, big impact. And today we’re kicking things off with the one... [Read More]

Introduction & Use Case: Identifying Internet-Facing Devices Matter to Every Framework You Care About. Before we even dive into tooling, let’s anchor the importance of this work in the actual security and compliance frameworks that govern nearly every mature organization. Pretty much every major framework assumes you know which assets... [Read More]