Kusto Insights - December Update
Welcome to a new Monthly Update. Before diving into all the Kusto news, we wish you all a happy and safe new year! We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.
Query of the Month
Identification of risky users risk dismissal or account compromised confirmation - This query uses Microsoft Entra ID Protection to identify risky user operations related to risk dismissal or account compromised confirmation. It looks at audit logs within a specified timeframe and filters for specific operations. It then extracts the display name of the targeted user and the user principal name of the security operator who confirmed the account compromise. The results are sorted by the time the operation was generated.
By: Michalis Michalos [GitHub, Twitter]
let Timeframe = 90d;
AuditLogs
| where TimeGenerated > ago(Timeframe)
// Choose whether you want to focus on DissmissUser or ConfirmAccountCompromised operations
//| where OperationName == "DismissUser"
//| where OperationName == "ConfirmAccountCompromised"
| extend SuspUser = tostring(TargetResources[0].displayName)
// Add here the name of the user you want to focus on
//| where SuspUser contains @""
| extend SecUser = InitiatedBy.user.userPrincipalName
// Add here the name of the security operator that confirmed account compromized
//| where SecUser contains @""
| project TimeGenerated, SuspUser, SecUser
| sort by TimeGenerated desc
Source: GitHub
News from the Community
We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!
Have you heard about passkeys and AAGuids? - With the availability of passkeys the FIDO2 standards become more accessible in the form of password managers, web-browsers and (mobile) operating systems — without the need for dedicated hardware such as FIDO2 keys. While this is a very welcome addition to make passwordless authentication easily accessible without dedicated hardware such as FIDO2 security keys this also introduces new risks, especially for high value accounts — But why’s that? This blog provide those answers as well as presenting KQL queries to detect such behaviour.
Prioritize Vulnerabilities Using The CISA Known Exploited Vulnerabilities Catalog - Kusto Query Language (KQL) can be your friend when it comes to prioritizing vulnerabilities, specifically when dealing with critical vulnerabilities from the CISA Known Exploited Vulnerabilities Catalog. This blog will explain what this catalog is and how KQL and/or CISAPy can help you to prioritise the vulnerabilities based on your application stack and needs. Multiple KQL examples are provided which can directly be used in your environment to determine which vulnerabilities from the catalog are still active and how they and new ones can be prioritized.
A Deep Dive into the KQL Union Operator - The union
operator in KQL is used to merge the results of two or more tables (or tabular expressions) into a single result set. A familiar instance of this operation is the search
operator, which implicitly performs a union
when querying across multiple tables.
Updates and Blog posts from Microsoft
Using KQL query settings in Power BI - The article from Microsoft's Tech Community focuses on integrating KQL (Kusto Query Language) with Power BI. It highlights how to use different settings in the M query for managing ADX/KQL data in Power BI. The article provides insights on embedding these settings into KQL syntax and their impact on the Kusto connector. It also covers the nuances of combining multiple M queries into a single KQL query and the effective use of 'let' statements in KQL within Power BI.
Threat actors misuse OAuth applications to automate financially driven attacks - This Blog Post discusses the misuse of OAuth applications by threat actors for financially motivated attacks. These actors compromise user accounts, then create or modify OAuth applications with high privileges, using them for activities like deploying virtual machines for cryptocurrency mining, maintaining access post-business email compromise, and launching phishing and spamming attacks. Microsoft leverages various tools like Microsoft Defender for Cloud Apps and Microsoft Entra Identity Protection to detect and prevent these abuses. The blog also outlines steps for organizations to mitigate such attacks, emphasizing the importance of multi-factor authentication, conditional access policies, and regular auditing of apps and consented permissions.
Fabric Change the Game: Real – time Analytics - This post discusses the use of Real-Time Analytics in Microsoft Fabric, focusing on a case study involving tracking the International Space Station (ISS). It details how Real-Time Analytics, particularly through the Kusto Query Language (KQL), is leveraged to process streaming data. In this example, data regarding the ISS's location is collected via an API, processed through Fabric's event stream, and stored in a KQL database. This setup enables efficient querying and visualization of the ISS's position. Additionally, the post highlights the integration of various tools within Fabric, like Logic Apps and Python scripts, to streamline data ingestion and analysis.
Latest Queries from the Community
Bert-Jan Pals - Twitter & GitHub
Alex Verboon - Twitter & GitHub
Thomas Naunheim - Twitter & GitHub
MDA Threat Detection Policy For Oauth Apps With Enriched Information Workload Identity Info
Added Credential To Privileged Workload By Lower Or Nonprivileged User Workload Identity Info
Jose Sebastián Canós - Twitter & GitHub
Security Alert Logon Activity From A Potentially Harmful Application
Security Nested Recommendation Running Container Image MDVM Vulnerability Assessments
Michalis Michalos - Twitter & GitHub
Identification Of Risky Users Risk Dismissal Or Account Compromised Confirmation
Identify How Quick A Confirmed Compromised Account Changed Password
Ali Hussein - Twitter & GitHub
Important resources
Learn KQL with the Must Learn KQL series and book
KQLQuery.com - Blog posts about KQL and different use cases
KQLSearch.com - Search Engine for KQL Queries
Log Analytics Demo: aka.ms/LADemo
Socials
Bert-Jan Pals
Blog | Twitter | LinkedIn | GitHub
Ugur Koc