Writeups

Reference material — KQL queries, framework notes, CTF writeups, and anything else that's more lookup table than narrative. The blog is for posts; this is for queries and tables you come back to.

KQL queries

KQL Beginners Guide

guide · reference

Hands-on walkthrough of KQL fundamentals — operators, scalar functions, aggregations, and the small daily patterns an analyst actually uses against Sentinel data. Originally drafted as onboarding material; left here as a public reference.
kqlsentinelguide
Hunting cookbook (coming)

cookbook · in progress

A growing index of named hunts — what each is looking for, the underlying KQL, and notes on tuning false positives. Ranged across DeviceLogonEvents, DeviceProcessEvents, SigninLogs, and friends.
kqlhunting

Framework notes

NIST 800-53 — control mapping cheatsheet (coming)

framework · in progress

Quick-lookup table for mapping NIST 800-53 controls to detection sources, audit evidence types, and the GIAC body-of-knowledge areas they intersect with.
nistcompliance
MITRE ATT&CK — tactic-to-data-source crosswalk (coming)

framework · in progress

Which ATT&CK tactics show up in which Microsoft Sentinel / Defender tables, with sample queries. Companion to the MitreAttackExplorer module.
mitreattacksentinel

CTF / competition writeups

NCL Fall 2025 — selected challenges (coming)

ctf · ncl · in progress

Walkthroughs of a handful of challenges from the Fall 2025 Individual Game, focused on the ones where the path to the flag had a transferable lesson — not just the ones I solved fastest.
ctfncl

Want to contribute a query or correction? The site is on GitHub — open an issue or PR.

Writeups

KQL queries

KQL Beginners Guide

Hunting cookbook (coming)

Framework notes

NIST 800-53 — control mapping cheatsheet (coming)

MITRE ATT&CK — tactic-to-data-source crosswalk (coming)

CTF / competition writeups

NCL Fall 2025 — selected challenges (coming)