Kusto Insights - April Update
Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.
Query of the Month
Rdp Default Listening Port Modification - This query looks for any changes made to the default RDP port (3389) on a Windows system, which could indicate potential malicious activity. It checks for modifications to the registry key related to RDP port number and provides information on the device name, previous port number, and the process that made the change. This can help in detecting attackers trying to avoid detection by using non-standard RDP ports.
By: Michalis Michalos [GitHub, Twitter]
let Timeframe = 1d; // Choose the best timeframe for your investigation
DeviceRegistryEvents
| where Timestamp > ago(Timeframe)
| where RegistryKey == @"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp"
| where RegistryValueName == @"PortNumber"
| where RegistryValueData != @"3389"
| where ActionType == @"RegistryValueSet"
| project Timestamp, DeviceName, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessFileName
Source: GitHub
News from the Community
We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!
Enhancing Your Entity Timelines: Sentinel Activities in the Unified Microsoft Defender XDR Portal - With the recent release of the Microsoft unified security operations platform in the Defender portal which is the integration of Microsoft Sentinel and Microsoft Defender XDR, there has been A LOT to take in. Both mentally and technologically. All the new features and settings to take advantage of has been overwhelming in a really good way!
Sentinel Automation Part 1: Enriching Sentinel Incidents with KQL Results - Automating incident response queries is one of the quick wins you can implement in Microsoft Sentinel. This allows you to automate incident enrichment and further investigations. The first blog of the Sentinel Automation Series will explain how you can quickly implement this in your environment. This is done based on automation rules and Playbooks (Logic Apps).
Defender for Identity NNR and health monitoring - Defender for Identity is a very important sensor to detect threats in an Active Directory environment. Therefore, it is important to make sure the sensors are performing well, and no health issues are being reported. When a sensor is in an unhealthy state, detections can be missed, or False Positives can lead to alert fatigue on the SOC.
The way of the Cookie - For everyone in the room who is somewhat of an IT administrator to one or more Azure (including Office365) tenants, please raise your hand if you’ve been bestowed with the gift (or curse) of permanent administrative permissions. Cue nervous laughter. Sounds a bit risky, right? Imagine the chaos if that account ever fell into the wrong hands. But how could one ever fix this at all if you need those to do your job? Let me show you the way of the cookie, a vastly underutilized feature of Azure. So grab one and let’s crunch through this together.
Updates and Blog posts from Microsoft
Strategies to monitor and prevent vulnerable driver attacks - This post highlights how you can use Kusto Query Language (KQL) to spot and manage vulnerable drivers, a crucial aspect of cybersecurity. You'll see how KQL helps in threat hunting by sifting through device event logs and driver signatures to detect potential vulnerabilities. It's a fantastic resource for enhancing your proactive security strategies, empowering you to shield your systems from advanced cyber threats effectively.
Hunting in Azure subscriptions - This post explores how you can use Microsoft Azure to hunt threats within your Azure subscriptions effectively. It covers detailed strategies for using logs and Kusto Query Language (KQL) to detect and analyze suspicious activities, offering practical tips for setting up alerts and monitoring systems. It's a great read for enhancing your ability to proactively defend against cyber threats and secure your cloud environments.
How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training - This post walks you through the Level 400 training to become a Microsoft Copilot for Security Ninja. You'll explore a series of lessons, categorized from beginner to advanced, focusing on how to effectively monitor and respond to security threats. The training also provides plenty of support and resources to guide you every step of the way. It's a great opportunity to enhance your skills in managing security within Microsoft environments!
Latest Queries from the Community
Bert-Jan Pals - Twitter & GitHub
Alex Verboon - Twitter & GitHub
Jose Sebastián Canós - Twitter & GitHub
Michalis Michalos - Twitter & GitHub
Important resources
Learn KQL with the Must Learn KQL series and book
KQLQuery.com - Blog posts about KQL and different use cases
KQLSearch.com - Search Engine for KQL Queries
Log Analytics Demo Lab: aka.ms/LADemo
Socials
Bert-Jan Pals | Microsoft Security MVP
Blog | Twitter | LinkedIn | GitHub
Ugur Koc | Microsoft Security MVP
Blog | Twitter | LinkedIn | GitHub