ddamenova

## IRQL_AAD_Graph.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                ddamenova
                / IRQL_AAD_Graph.md
            
            
              Created
              May 18, 2026 17:43
            
              
                New IRQL functions in the relational and graph world.
              
          
    IRQL for AADGraphActivityLogs

New IRQL functions covering the new AADGraphActivityLogs table that Microsoft started populating broadly in 2026. These functions encapsulate the legacy Azure AD Graph API (graph.windows.net) telemetry behind the same primitive shapes (Get_*, Extract_*, graph-lifted Extract_Node_* variants, external enrichment) the rest of IRQL uses, plus an external enrichment against OAuthSentry for OAuth Application ID classification. These functions were created in collaboration with Saar Ron, John Lambert, and Diana Damenova.
Security Background

Entra ID has shipped two parallel Graph APIs for most of the last decade. Azure AD Graph (graph.windows.net) launched in 2013 and is what the AzureAD PowerShell module, the older MSOnline cmdlets, and a long tail of in-house tooling actually talk to. Microsoft announced its retirement in 2019, with the deprecation timeline e

  
## IRQL.md

      
              1 file
            
          
              1 fork
            
          
                0 comments
              
            
              8 stars
            
          
                ddamenova
                / IRQL.md
            
            
              Last active
              May 28, 2026 18:42
            
          
    IRQL - Incident Response Query Language

A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect. IRQL encapsulates query logic in repeatable chunks, hides cluster/database locations and join keys, and projects disparate source schemas into a single, predictable schema. In addition, it represents query logic as their semantic intent via function naming. These functions were created by Saar Ron, John Lambert, and Diana Damenova.
These functions were authored alongside the Lift to Graph functions (Lift_To_Graph, Graph_Render_View, Graph_Fold_By_Property) and are designed to compose with them. Many of the IRQL primitives have a tabular form and a graph-lifted form, so the same logic drives both relational hunts and visual graph investigations.
Why IRQL?

KQL is a phenomenal tool for analyzing large quantities of data, but queries can get verbose quickly:

  
## Kusto_Lift_Graph.md

      
              1 file
            
          
              1 fork
            
          
                0 comments
              
            
              8 stars
            
          
                ddamenova
                / Kusto_Lift_Graph.md
            
            
              Created
              March 17, 2026 17:39
            
          
    Kusto Graph Functions for Cybersecurity Investigations

A set of Kusto (KQL) functions that transform tabular query results into graph structures — nodes and edges — for visual exploration in Kusto Explorer. Designed for lifting cybersecurity activity logs into graphs to aid in threat hunting and incident investigations. These set of functions were created by Saar Ron, John Lambert, and Diana Damenova.
Why Graphs?

Security logs are inherently relational: IPs connect to domains, users authenticate to devices, processes spawn other processes. Tabular views flatten these relationships, making it harder to spot patterns. These functions let you take any Kusto query result and, with a simple JSON mapping, project it into a graph you can explore visually with make-graph in the Kusto Explorer desktop app.
Functions