Henning Rauch

1/ So the main news: The Louie.ai team just declared the @Splunk Boss of the SOC investigation CTF is dead This completes the journey we started last year with the first passing AI speed run - for folks into AI x investigations, worth a read What I wanted to share here is what goes into pulling this off two years in a row: Ultimately, it boils down to this: Good engineering is predictable, and good science is not. Our team does a lot of both (continued:)

@Antonlovesdnb @sapirxfed It wasn't recorded but here is a link to the slides github.com/cosh/conferenc…

@sapirxfed @cosh23 Ooo nice - got a link to the talk by chance ?

I just watched a very interesting talk by @cosh23 about kusto. He presented these anomaly detection functions which looks very interesting to me🧐 I'm going to try to use them! learn.microsoft.com/en-us/kusto/fu… Especially detect_anomalous_access_cf_fl()😎

WIth @haandkle_42 , first time showing how the @louie_ai (partially) does it :)

It's official: Graph the Planet is on for 2026! For all our friends doing fun things with agents/graphs/ai, we got the preannounce up for the CFP For folks who enjoyed the past years, we'll also be announcing details on a new addition to the GTP experience: Masterclasses! - 1 day In-person masterclass on graphs - 1 day on AI for Security: Agents, RAG, prompting => Vibe investigating, AI workflows, & agentic investigation automation

Fun counter-narrative on an AI result we’re sharing next week: You don’t need custom AI models to win investigation capture-the-flag competitions. I’ll be walking through our experience at 39th Chaos Communication Congress next Tuesday on “Breaking (Splunk) BOTS: How We Cheated at Blue Team CTFs with AI Agent Speed Runs”, and we’re bringing the receipts on this one. I believe it should be freely streaming online, and if you’re in Hamburg/Berlin, please say hello. And yes, there will be Louie stickers! Many folks were shocked earlier in the year when we announced the Louie v1 investigation agent hit 75%+ on the Splunk BOTS investigation CTF competition. What the headline misses is the second part: For that run, we intentionally did NOT do custom AI model fine-tuning, automated prompt learning, and other tricks that are often hard to deploy and fail to generalize to the diverse scenarios long-running agents must navigate. Instead, v1 was about how much hardcore context engineering we needed to stuff inside to make an AI that investigates competitively **out-of-the-box**. Yes we work on different kinds of learning and have cool releases ahead, but that’s v2 era: for now, this is how to make out-of-the-box agents that improve whenever OpenAI and friends spend $100M+ on a model jump. The v1 result shows all you need to win, today, is access to widely available models like gpt-4o and a fairly generic investigation prompt of less than 200 lines of markdown instructions. The hard part was building an agent environment that automates investigation-oriented context engineering. This in turn largely comes down to where vibes investigating is similar vs different from today’s best-in-class vibes coding environment. Ex: What you can do out-of-the-box DIY via connecting something like Claude Code to a Splunk MCP, and the gap left to do high-scoring vibes investigations. And of course, how to do that without breaking your monthly token budget. Holiday bonus: We’ll also be announcing something big, so even if you aren’t there, sign up for Louie’s EAP form and you’ll be getting a useful notification on what’s coming next. See everyone in Hamburg! #CCC #chaoscongresscommunications #GenAI #cybersecurity #39thChaosCommunicationCongress #graphistry #louie

Ai investigation power hour's first episode AI Investigation Power Hour with Henning Rauch @cosh23 Principal Program Manager - Azure Data Explorer (Kusto) is going live now on Youtube youtube.com/live/FFJUT_xOk… and Linkedin linkedin.com/events/7399528…

Announcing Our First Ever Podcast + Live Webinar AI Investigation Power Hour — Episode 1: Kusto Graph Meets Agentic AI We’re excited to launch our new series: AI Investigation Power Hour. Join hosts @lmeyerov (Founder of Graphistry) and Sindre Breda (Solutions Architect & ex-police officer) as they talk with Henning Rauch @cosh23 , Principal Program Manager at Azur Data Explorer Kusto. They’ll dig into the intersection of Kusto, graphs, and agentic AI — and what this means for the next wave of AI-driven investigations. 🔴 Watch live on LinkedIn and Youtube Click the link in the first comment to book a spot on your calendar. 📅 Live on December 3rd, 2025 ⏰ 7 PM CET / 1 PM EST @Cyb3rWard0g @JohnLaTwC

Something fun we're starting w @Graphistry / @LOUIE_AI : A lot is happening in how we investigate, so we are putting together a series sharing conversations & demos with folks doing interesting things around vibes investigating, agentic automation, intelligence graphs, GPUs, etc. There's a lot to keep up with, and the first one w @cosh23 on the growing #Kusto #graph / AI ecosystem is a great way to kick the sessions off!

Public Preview of #openCypher support for #KQL graph semantics is here! You can now run openCypher queries on: ✅ Fabric RTI Eventhouse ✅ Azure Data Explorer ✅ Free clusters ✅ Even on the Kustainer! Check it out!!! azure.microsoft.com/en-us/updates/…

Big News: Microsoft published an official integration between Graphistry and Azure Data Explorer. In partnership with Microsoft, Graphistry adds server-side GPU visual AI to KQL graph semantics, enabling fast, in-tenant, iterative graph visualization and intelligent automation. This brings team visual and automated investigations of connected data that are much faster, larger, and smarter than previously possible while keeping processing and governance inside their own Azure subscription. learn.microsoft.com/en-us/kusto/qu… A big thank you to @cosh23 and @JohnLaTwC for their support #AzureDataExplorer #Kusto #Graphistry #DataVisualization #Graph #GPU #Eventhouse

As part of our mission to bring generative AI to data-intensive investigation & automation, we’re launching a new two-day online masterclass on AI agents & RAG for security teams. Enrollment is now open and limited. Why now: Leaders are under pressure to cut down backlogs and response times without adding headcount. Analysts and engineers are still stuck copy-pasting into copilots. Everyone is evaluating generative AI for investigation and automation – but the rise of agentic AI resets both how and where to apply it. This masterclass, taught by award-winning security AI experts, moves you from copilots to durable RAG and production agents that investigate and act with oversight. Why us: We’re the team behind the first agentic AI speed run of the @splunk Boss of the SOC investigation CTF, the U.S. Cyber Command AI alert challenge win, and helped run Black Hat’s most-attended AI security training. What: Hands-on AI cyber range with @splunk, #kusto, and @databricks, instructor-led online masterclass with labs, AI cyber range, peer discussions, templates, vendor-neutral OSS paths – plus how the same workflows run in enterprise AI-native tools like Louie.ai. What you’ll leave with ✔️Leaders: Forward-looking AI plan, high-ROI workflow picks, governance paths ✔️Engineers: Scalable patterns for tool-calling, RAG, and evals balancing speed, quality, and cost ✔️Analysts: Quickly build self-planning AI agents that investigate, triage, hunt, and automate Details: Nov 6–7, 2025 • Online • 16 CPE • 45 Seats • Recordings/materials included Next step Full agenda + reserve your seat: louie.ai/events/ai-agen… Visit @Cyb3rWard0g if you are interested in learning about cybersecurity and AI. For more on kusto ADX check out @cosh23 @JohnLaTwC #AISOC #AIAgents #RAG #GraphRAG

While the support was there for a long time now, @cribl_io now lists #AzureDataExplorer in their integration search page!

We're launching something new to help investigation & automation teams🤠 When the @LOUIE_AI team went from announcing the first agentic AI speed-run of Splunk's annual Boss of the SOC investigation CTF at #RSAC → then helping 100+ hackers build their first AI agents at #BlackHatUSA with @Cyb3rWard0g , it was clear: How to do agentic AI well needs to reach more of the investigation & automation community. So, I'm happy to share we're starting a 2-day online masterclass "From AI Copilot to Commander" (16 CPE credits) Think big picture views on what works today and what's next, and going hands-on with an AI cyber range for RAG, evals, investigation agents, OSS tools, MCP, semantic layer, etc on your choice of @splunk , @databricks , #kusto @AzDataExplorer . Link in comments, and stay tuned for a @LOUIE_AI announcement on the software side of this same community direction. Fall is heating up! 🔥 cc @vicfcs @dawnsongtweets @cosh23 @Cyb3rWard0g @JohnLaTwC @ram_ssk

Long time coming: Native @graphistry support just dropped for seeing all your #kusto @AzDataExplorer data as big interactive graphs! (And ping for early access to the genAI-native @louie_ai version!)

Docs: learn.microsoft.com/en-us/kusto/qu…

Link to feedback channel: aka.ms/kql/graph/gql-…

The #KQL engine now supports Graph Query Language (#GQL), aligned with the ISO standard. Run GQL queries on any #Eventhouse or @AzDataExplorer for standards-based graph data analysis. 👉 Try it out and share feedback! #RTI #Graph #ADX

Wanna play around with #KQL and #Graph Microsoft just released sample datasets to play around and look at this gorgeous visualization for the #Bloodhound schema they offer! Thanks @cosh23 🥰 #bloodhound-entra-dataset" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/kusto/qu…

The Graph API based #KQL queries are now also translated to GraphAPIAuditEvents. github.com/Bert-JanP/Hunt…

In KQL, if you have a base table with many columns, you may want a simplifed view--just a subset of columns that are arranged in a certain order. At other times you need all the columns. Here is a nifty way to do this where you can get a preferred subset ("brief mode") or all the columns ("verbose mode") using the new project-by-names feature. ➡️learn.microsoft.com/en-us/kusto/qu…