<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>KQL Kata on Matt Swann — Detection Engineering &amp; Threat Intel</title><link>http://mattswann.dev/series/kql-kata/</link><description>Recent content in KQL Kata on Matt Swann — Detection Engineering &amp; Threat Intel</description><image><title>Matt Swann — Detection Engineering &amp; Threat Intel</title><url>http://mattswann.dev/og-image.png</url><link>http://mattswann.dev/og-image.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Mon, 05 Jan 2026 09:18:38 -0700</lastBuildDate><atom:link href="http://mattswann.dev/series/kql-kata/index.xml" rel="self" type="application/rss+xml"/><item><title>5 KQL Queries to Slash Your Containment Time in Microsoft Sentinel</title><link>http://mattswann.dev/posts/5-kql-queries-containment/</link><pubDate>Mon, 05 Jan 2026 09:18:38 -0700</pubDate><guid>http://mattswann.dev/posts/5-kql-queries-containment/</guid><description>In an active breach, speed is everything. These five KQL queries — covering file drops, identity compromise, lateral movement, C2 beaconing, and persistence — are designed for the first hour of incident response.</description></item></channel></rss>