Sabitlenmiş Tweet
John Lambert
6.5K posts
John Lambert
@JohnLaTwC
Corporate Vice President, Security Fellow, Microsoft Security Research, johnla(AT)https://t.co/3dGtq71Nby
Redmond WA Katılım Ekim 2010
810 Takip Edilen42.4K Takipçiler
John Lambert retweetledi
📋 Process events in a table:
timestamp, parent, child, host, user...
🔄🔄🔄🔄 scroll scroll scroll scroll
🕸️ Process events in a graph:
(cmd)-[SpawnedBy]->(ps)-[RanOn]->(host)
cluster('kc7001.eastus.kusto.windows.net') // if copy breaks, remove https:// or extra spaces
.database('AzureCrest').ProcessEvents
| take 100
| invoke Lift_To_Graph(Process_Mapping())
| invoke Graph_Render_View()
3 lines of KQL. No ETL. No Neo4j. Just graphs from your logs. ⚡
English
John Lambert retweetledi
This is a very cool feature. Graphs are a game changer when it comes to big data analysis.
John Lambert@JohnLaTwC
If you use #KQL to hunt for attacks, this post is for you. I want to tell you about a powerful new operator you can use to hunt: the lift operator.
English
Great tweet thread on styling and interacting with graphs using #KQL
Follow @dianadamenovaa for more
cc/ @cosh23
Diana Damenova@dianadamenovaa
With a few lines of kusto you get the following graph: let networkLogs = cluster('kc7001.eastus.kusto.windows.net').database('AzureCrest').InboundNetworkEvents ; networkLogs | invoke Lift_To_Graph(InboundNetworkEvents_Mapping()) | invoke Graph_Render_View()
English
Quotes 💬 that stuck with me recently:
· "Creativity is allowing yourself to make mistakes. Art is knowing which ones to keep"
· "Being absolutely right and being spectacularly wrong feel exactly the same way"
· "Goals are for people that care about winning once. Systems are for people who care about winning repeatedly"
· "Each time a woman stands up for herself, without knowing if possible, without claiming it, she stands up for all women"
· "The best way to learn is to have a stake in the outcome"
· "Muddy water is best cleared by leaving it alone"
· "A man is about as big as the things that make him angry"
English
▶️ Graph Visualization requires Kusto Explorer available for download at learn.microsoft.com/en-us/kusto/to… directly at aka.ms/ke
🔗 Read @cylberslayer0’s LI post: linkedin.com/feed/update/ur…
📖 gist.github.com/ddamenova/4369…
English
💪 A collaboration with @cyberslayer0 and Saar Ron
🙏 All data courtesy of the awesome kc7cyber.com project which makes learning by example easy.
English
If you use #KQL to hunt for attacks, this post is for you.
I want to tell you about a powerful new operator you can use to hunt: the lift operator.
English
John Lambert retweetledi
Diana is coming from the @Microsoft CISO office with @JohnLaTwC ("attackers think in graphs, defenders in lists") where they are doing amazing things. Worth catching and meeting.
See folks there on Monday, online + in SF!
Graphistry@Graphistry
GraphThePlanet is excited to announce another featured speaker for 2026: DianaDamenova, Security Researcher at @Microsoft Talk Topic: Lifting Knowledge Graphs from Security Logs (Without ETL) Diana will show how to turn raw security logs into usable knowledge graphs without heavy ETL pipelines, enabling faster investigation workflows and more flexible analysis across large-scale data. Join executives, senior practitioners, researchers, and startup founders for discussions on AI, graph intelligence, and data-driven investigations. 🔴 Watch live on YouTube and LinkedIn during #RSAC2026 week Event Details: • Date: March 23, RSAC Week 2026 • Location: San Francisco, CA • Registration & More Info: graphtheplanet.com Happy graphing, — The Graphistry Team #GraphThePlanet #GTP2026 #RSAC2026 #KnowledgeGraphs #CyberSecurity #SecurityAnalytics #GraphIntelligence #DataEngineering #AIforSecurity
English
I was saddened at the passing of FX.
Felix meant a lot to me. I met him while he was at n.runs doing engagements to help secure Microsoft products.
He invited me to PH Neutral, the conference he founded and run by Phenoelit. @window Snyder introduced me to people. It was my first glimpse into the brilliant security research scene.
A couple years later we implemented ASLR in Windows. Where should we talk about it first? I said PH-Neutral. FX showed me kindness I will never forget as I presented our work (x.com/JohnLaTwC/stat…).
It is said that "when an elder dies, a library burns." However in FX's case, he left us with a gift. Many of us learned from him--about security, technology, community, and being human.
I will miss him terribly.
If you didn't know him, phrack profiled him here: #article" target="_blank" rel="nofollow noopener">phrack.org/issues/68/2#ar…
Daniel Cuthbert@dcuthbert
blog.recurity-labs.com/2026-03-02/Far… If you have any fond memories of FX, the lovely team at Recurity Labs would love to hear from you
English
John Lambert retweetledi
Fixing the Windows Syntax Boof-a-Rama
When I put together the core concepts of #PowerShell, I was committed to solving the boof-a-rama that is #Windows CLI syntax. Prior to PowerShell, any developer that got at least a ‘D’ in a course on parsing was allowed to inflict their damage on the user community. This incoherence caused a great deal of confusion as users struggled to navigate at least four distinct syntax groupings:
jsnover.com/blog/2026/02/0…
English