Show Menu
Cheatography

Tools Cheat Sheet (DRAFT) by

Tools needed for Sec

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Online Tools

 

KQL and Hunting Common Tables

Common Tables:
Common­Sec­uri­tyL­og(­Fir­ewall Logs)
AuditLog
SignInLogs
Securi­ty(­Inc­ident, Event, Alert)
Heartb­eat­(Fi­rewall check)

KQL and Hunting Common Filters

where
summarize
contains / has / ==
distinct
project
search
take
count
! (Used in front for DOES NOT)
ex. !contains , !has

KQL & Hunting Example

Common­Sec­uri­tyLog
| where Computer contains "­172.16­8.1.1"
| where Destin­ationIP contains "­192.16­8.2.1"
| where SourcePort !contains "­22"

Identi­tyD­ire­cto­ryE­vents
| where Accoun­tName contains "­SVC­_AC­COU­NT"
| where ActionType contains "­ADF­S"
| extend Additi­ona­lFields
| where Additi­ona­lFields contains "­479­8f4­01-­7de­0-4­d91­-96­6b-­969­856­958­91e­"
 

Identity Entities

User's Location
Browser
Device Info
User Agent
Condit­ional Access
Location
IP Address
Authen­tic­ation
App

Defender Tools

Invest­igation & Response
Incidents & Alerts
 
Hunting
Email and Collab­oration
Explorer
 
Review
Cloud Apps
Files
 
Activity log