Kusto Insights - February Update

and

Mar 04, 2025

Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.

Query of the Month

Hunt MDE with GSA events - This rule correlates the Microsoft Defender for Endpoint DeviceNetworkEvents table with the Global Secure Access NetworkAccessTraffic table. By doing this, you can enrich the MDE events which contains detailed process information with the GSA events that contains detailed HTTP header information and more.

By: Robbe Van den Daele [GitHub, LinkedIn]

let gsa_events = NetworkAccessTraffic
    // Join DeviceInfo to get MDE DeviceID
    | join kind=inner ( 
        DeviceInfo
        | distinct DeviceId, AadDeviceId
    ) on $left.DeviceId == $right.AadDeviceId
    // Remove Entra Device ID from GSA logs
    | project-away DeviceId
    // Rename MDE Device ID to DeviceId column
    | project-rename DeviceId = DeviceId1;
// Get all MDE network events
DeviceNetworkEvents
// Get HTTP details if HTTP connection is logged
| extend HttpStatus = toint(todynamic(AdditionalFields).status_code),
    BytesIn = toint(todynamic(AdditionalFields).response_body_len),
    BytesOut = toint(todynamic(AdditionalFields).request_body_len),
    HttpMethod = tostring(todynamic(AdditionalFields).method),
    UrlHostname = tostring(todynamic(AdditionalFields).host),
    UrlPath = tostring(todynamic(AdditionalFields).uri),
    UserAgent = tostring(todynamic(AdditionalFields).user_agent),
    HttpVersion = tostring(todynamic(AdditionalFields).version)
// Join GSA logs
| join kind=inner gsa_events on 
    DeviceId,
    $left.RemoteUrl == $right.DestinationFqdn,
    $left.RemotePort == $right.DestinationPort,
    $left.Protocol == $right.TransportProtocol,
    $left.InitiatingProcessFileName == $right.InitiatingProcessName
| project-rename TimeGeneratedGsa = TimeGenerated1, TimestampMde = Timestamp
| project-away Type, TenantId, TimeGenerated, TenantId1, Type1, DeviceId1, AadDeviceId

Source: GitHub

News from the Community

We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!

Correlating Defender for Endpoint and Global Secure Access Logs - If you are working with Microsoft security solutions, you might have heard of the new kid on the block called Microsoft Global Secure Access. Being a blue teamer myself, I asked myself how we can use this new Secure Service Edge solution - and specifically the Internet Access logs - to make our detections better. During my research I found that these logs are especially interesting when we correlate them with the EDR solution of Microsoft called Microsoft Defender for Endpoint. If you want to learn how you can do this, make sure to keep reading.

Log Analytics Queries for Billable Data per Subscription - When we deploy Azure Enterprise Scale Landing Zones, We often advise our customers to use a centralised Log Analytics workspace for all their Azure resources and configure the workspace to use the Resource-context Access Mode. With this pattern, normally the cloud administrators and security teams would have been granted access on the Log Analytics workspace level. The application teams who consume the Azure resources do not need to be granted any roles to the Log Analytics workspace.

Updates and Blog posts from Microsoft

Get Certified: The Must-Have Data Engineer Credential - The Microsoft Fabric Data Engineer Associate certification (DP-700) is a new credential for data professionals. It validates your expertise in integrating, transforming, and consolidating data using Microsoft Fabric's unified data analytics platform. This certification is particularly relevant now, as the Azure Data Engineer Associate certification (DP-203) is set to retire on March 31, 2025. Earning the DP-700 certification demonstrates your commitment to staying current with Microsoft's latest data engineering technologies.

Welcome to the Microsoft Incident Response Ninja Hub - The Microsoft Incident Response Ninja Hub is a treasure trove of resources for security professionals. You can access guides on threat hunting, incident response best practices, and case studies, many of which utilize Kusto Query Language (KQL) for in-depth analysis. This hub empowers you to enhance your incident response strategies and stay ahead of emerging threats.

Device Inventory in the Microsoft Environment - Device Inventory in Microsoft Intune brings real-time and cached query capabilities using Kusto Query Language (KQL). You can now perform custom queries across multiple devices, gaining deeper insights into device configurations. This advancement simplifies device management and sets the stage for future features like Copilot integration and cross-platform support.