Threat Hunting with Microsoft tools
Azure Kusto Query Language (KQL) will become your new favourite query language If your organization is using any of the Microsoft security products like Azure Log Analytics, Azure Sentinel, Microsoft Defender Advanced Threat Protection or Microsoft Threat Protection. This is because KQL can be used in those products to hunt within the available raw dataset.
As an example in Azure Sentinel you could run the below hunting query to identify commonly abused top level domains (TLDs).
Author: shainw
GitHub: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/DnsEvents/DNS_CommonlyAbusedTLDs.yaml
Tool: Azure Sentinellet timeframe = 7d;
let abusedTLD = dynamic(["click", "club", "download", "xxx", "xyz"]);
DnsEvents
| where TimeGenerated >= ago(timeframe)
| where Name has "."
| extend tld = tostring(split(Name, ".")[-1])
| where tld in~ (abusedTLD)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), NameCount = count() by Name, ClientIP, tld
| order by NameCount desc
| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP
Another example this time in Microsoft Threat Protection could be If you wanted to identify emails that were send from an address external to your company and where email was send to more then 50 distinct mail boxes all you would need to do is:
Author: MiladMSFT
GitHub: https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Initial%20access/identify-potential-missed-phishing-email-campaigns.md
Tool: Microsoft Threat ProtectionEmailEvents
| where SenderFromDomain != "corporatedomain.com"
| summarize dcount(RecipientEmailAddress) by SenderFromAddress, NetworkMessageId, AttachmentCount, SendTime = Timestamp
| where dcount_RecipientEmailAddress > 50
In mid-2018 i had wrote a blog post on how to get started with Advance Hunting in Microsoft Defender Advanced Threat Protection. In there I described advance hunting and KQL as:
“The easiest way I found to teach someone Advanced Hunting is by comparing this capability with an Excel spreadsheet that you can pivot and apply filters on. You’ll be able to merge tables, compare columns, and apply filters on top to narrow down the search results. Advanced Hunting uses simple query language but powerful query language that returns a rich set of data. Because of the richness of data, you will want to use filters wisely to reduce unnecessary noise into your analysis. The query language has plenty of useful operators, like the one that allows you to return up only a specific number of rows, which is useful to have for scenarios when you need a quick, performant, and focused set of results.”
You can read more by clicking here.
If you are interested to dive deep into KQL I would recommend starting with the following courses:
