Kusto Insights - January Update

and

Feb 04, 2025

Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.

Query of the Month

Entra ID - Self Service Password Reset - Configuration Changes - Microsoft has introduced enhanced logging capabilities for Self-Service Password Reset (SSPR) policy configurations. With this update, any change made to the SSPR policy configuration—including enablement, disablement, or modifications—will generate an audit log entry detailing the change.

The audit log entry includes the following details:

Change Details: A description of the action taken (e.g., enabled or disabled the policy).
Previous and Current Values: Both the prior and updated configuration settings are recorded, providing comprehensive insight into the nature of the change.

By: Alex Verboon [GitHub, LinkedIn]

AuditLogs
| where OperationName == "Update SSPR Settings"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
|mv-expand parse_json(TargetResources)[0].modifiedProperties
| extend SSPR_Setting = tostring(TargetResources_0_modifiedProperties.displayName)
| extend newValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))
| extend oldValue = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.oldValue)))
| project TimeGenerated, SSPR_Setting, oldValue, newValue, Actor, CorrelationId

Source: GitHub

News from the Community

We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!

KQL Sources - 2025 Update - What started as a single blog is now becoming a yearly trend. More and more KQL related repositories are created, not only with a focus on security but also Intune, Entra and Azure Monitor related queries. Dive in and discover how these new additions can help you tackle challenges or give you new ideas for the new year.

Microsoft Expanded Cloud Logs Implementation Playbook - This playbook provides a detailed overview of the newly introduced logging capabilities in Microsoft Purview Audit (Standard). These capabilities enable organizations to conduct forensic and compliance investigations by accessing critical events, such as Mail items accessed, Mail items sent, and User searches in SharePoint Online and Exchange Online

Detecting 'Paste and Run' malware with KQL - Paste and run malware slowly started gaining prevalence towards the end of 2024. It often convinces users to use the 'Run' prompt (Windows + R) key and copies a malicious command to the clipboard for them to paste and run. It's a simple; easy to distribute via multiple methods and with the rise of generative A.I, unchallenging to generate something that looks convincing: We're going to write a KQL query to detect this.

Updates and Blog posts from Microsoft

Azure Workbooks: Advanced customization and data visualization in Azure - Bring in data from multiple Azure sources and turn it into interactive dashboards that make monitoring and analysis easier. If you're working with KQL, this is a great way to visualize your queries, making insights more accessible and actionable. Whether you need to track performance, security, or operations, Workbooks help you shape KQL results into meaningful reports.

Decision Guide for Selecting an Analytical Data Store in Microsoft Fabric - Eventhouses are tailored for real-time event processing and analytics, utilizing the Kusto Query Language (KQL) for efficient data transformation and querying. This makes it particularly relevant for your KQL-focused interests, as it emphasizes the strengths of KQL in handling high-velocity data streams. Understanding these distinctions helps you leverage KQL effectively within Microsoft Fabric's ecosystem.