Kusto Insights - June Update

and

Jul 02, 2024

Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.

Query of the Month

Automation Account Runbook Status - This query helps you check the status of your Azure Automation Account Runbook jobs. It retrieves information such as the start time, end time, duration, status, and any errors encountered during the job. It also provides references on how to forward diagnostic logs to Azure Monitor and send custom Runbook logs to Log Analytics.

By: Alex Verboon [GitHub, Twitter]

AzureDiagnostics
| where Category == 'JobLogs'
| extend RunbookName = RunbookName_s
| project TimeGenerated,RunbookName,ResultType,CorrelationId,JobId_g
| summarize StartTime = minif(TimeGenerated,ResultType == 'Started'),EndTime = minif(TimeGenerated,ResultType in ('Completed','Failed','Failed')),
Status = tostring(parse_json(make_list_if(ResultType,ResultType in ('Completed','Failed','Stopped')))[0]) by JobId_g,RunbookName
| extend DurationSec = datetime_diff('second', EndTime,StartTime)
| join kind=leftouter (AzureDiagnostics
| where Category == "JobStreams"
| where StreamType_s == "Error"
| summarize TotalErrors = dcount(StreamType_s) by JobId_g, StreamType_s)
on $left. JobId_g == $right. JobId_g
| extend HasErrors = iff(StreamType_s == 'Error',true,false)
| project StartTime, EndTime, DurationSec,RunbookName,Status,HasErrors,TotalErrors,JobId_g

Source: GitHub

News from the Community

We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!

Keeping an eye on WSL through Microsoft Defender for Endpoint - The days that Microsoft considered Linux a cancer, have been long gone. Microsoft’s strategy has not only embraced Linux, but developed groundwork to provide the necessary means for open source projects to flourish, leaving behind the early 2000’s rivalries. With that said, Microsoft introduced Windows Subsystem for Linux (WSL) in 2016, allowing Windows users to run a Linux environment without the need of a separate system, or VM.

Using KQL to Pull the Deployment Status of the Defender for Endpoint - Over the last year, we have experienced an uptake for Defender for Endpoint deployments. This is mainly due to mergers and acquisitions happening on the software vendor side (like Symantec Enterprise Antivirus taken by Broadcom) and this has forced customers to move away from existing solutions due to many reasons (mostly due to price hikes and lack of support after take over). As part of this exercise, many of my customers realized their Microsoft 365 subscriptions included Defender for Endpoint, so switching over to Microsoft’s solution became an easy choice.

Unveil Delete Operations In Azure Using KQL - Welcome to another insightful journey through the azure skies! In this blog post, we’ll explore how to wield the mighty KQL to uncover those elusive “delete” actions within your Azure environment. Whether you’re a seasoned cloud explorer or just dipping your toes into the Azure waters, this guide will equip you with the knowledge to track down those vanishing resources.

UPDATES AND DELETES - Not so long ago, ~~in a galazy far far way~~, we got two new, long waited functions in the Real-Time Intelligence engine, the Kusto Query Language - also known as KQL.

Update and Delete statements are now a build in part of the engine syntax, and gives us the possibility to manipulate the data in the storage engine.

T1556.009 - Detect and prevent suspicious conditional access policy modifications - In April 2024, MITRE came with their new V15 version of ATT&CK. In this version a new sub-technique was introduced called 'T1556.009 - Modify Authentication Process: Conditional Access Policies'. This was, in my opinion, a great addition to the framework, since it is an important technique which can be abused by adversaries. By changing a Conditional Access policy (later referred to as 'CA policy'), an adversary can establish Credential Access, Defense Evasion, and Persistence in Entra ID. Since it is such a vital component, I thought it was time to do a bit of a deep dive into how we can detect and mitigate suspicious CA policy changes.

Updates and Blog posts from Microsoft

We couldn't find any exciting announcements or news from Microsoft related to Kusto. However, if you missed it, read this interisting article from May:

Hunting for MFA manipulations in Entra ID tenants using KQL