Kusto Insights - April Update

and

May 06, 2025

Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.

Query of the Month

Audit Logs Cross Tenant Settings Modified

By: Jose Sebastián Canós [GitHub, LinkedIn]

AuditLogs
| where Category in ("CrossTenantAccessSettings", "CrossTenantIdentitySyncSettings", "MultiTenantOrgTenant", "MultiTenantOrgIdentitySyncPolicyTemplate", "MultiTenantOrgPartnerConfigurationTemplate")
    or OperationName has_any ("cross-tenant", "MultiTenantOrg", "multi tenant org")
| extend
    Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
    InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
    IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| mv-expand TargetResource = iff(array_length(TargetResources) == 0, dynamic([""]), TargetResources)
| mv-apply modifiedProperty = TargetResource["modifiedProperties"] on (
    summarize NewValues = make_bag(
        bag_pack(tostring(modifiedProperty["displayName"]), trim(@'[\"\s]+', tostring(modifiedProperty["newValue"]))))
    )
| extend
    PartnerIdentifier = tostring(NewValues["PartnerIdentifier"]),
    PartnerPolicyType = tostring(NewValues["PartnerPolicyType"]),
    PartnerPolicyDetail = tostring(NewValues["PartnerPolicyDetail"]),
    PartnerPolicyDetailVersion = tostring(NewValues["PartnerPolicyDetailVersion"]),
    MultiTenantOrgAddedByTenantId = tostring(NewValues["MultiTenantOrgAddedByTenantId"])
| project
    TimeGenerated,
    LoggedByService,
    Category,
    AADOperationType,
    Initiator,
    IPAddress,
    OperationName,
    Result,
    ResultDescription,
    PartnerIdentifier,
    PartnerPolicyType,
    PartnerPolicyDetail,
    PartnerPolicyDetailVersion,
    MultiTenantOrgAddedByTenantId,
    NewValues,
    AdditionalDetails,
    Identity,
    InitiatorId,
    InitiatedBy,
    TargetResources,
    CorrelationId

Source: GitHub

News from the Community

We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!

Detecting non-privileged Windows Hello abuse - I recently followed a live session of Dirk-Jan Mollema and Ceri Coburn on how Windows Hello for Business can be abused as a non-privileged user. I was very intrigued by the concept of the attack they demonstrated, which is why a spend a couple of days thinking of ways how we can counter this attack with detective controls as blue teamers.

Detection Response by tracing File Lineage with KQL Queries - One of the most common threats that a threat hunter needs to monitor is malicious files. As we know, thousands of files are either directly infected or created with harmful intent, designed to trigger malicious activity. These objects can be shared, downloaded, and — worst of all — executed by our users. That’s why it's critical to have proper monitoring and response mechanisms in place to react as quickly as possible when a threat is detected.

KQL - Basics for SOC - Analysts #5 - Summarize - The summarize operator in Kusto Query Language (KQL) is used to aggregate data by one or more columns (see all supported aggregation function types) . It takes in a table of data and outputs a new table that is aggregated based on the specified columns.