Kusto Insights - March Update
Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.
Query of the Month
NTDS.DIT File Modifications - NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Adversaries may attempt to access or modify the Active Directory domain database in order to steal credential information or perform other types of attack. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
The hunt query results contain a summary table, including the counts and a sample of the devices and files modified along with the processes responsible for such action, therefore legitimate backup solutions might appear here. Note that the query searches for any File Events table records matching the keywords "ntds" and "dit" which might be potentially linked to Write/Modification activity related to the AD domain DB file.
By: Alex Teixeira [GitHub, Twitter]
// Author: Alex Teixeira (alex@opstune.com)
search in(DeviceFileEvents) "ntds" and "dit" and ActionType:"FileModified"
| where Timestamp > ago(90d)
| summarize Device_Count=dcount(DeviceId), Device_Sample=take_any(DeviceName), File_Count=dcount(FolderPath), File_Sample=take_any(FolderPath), Last_Seen=max(Timestamp) by InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessAccountName
| sort by Device_Count desc, File_Count desc
Source: GitHub
News from the Community
We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!
Entra ID monitoring - are you doing the basics? - This is the third in a series of blogs I will be writing about Microsoft Entra ID. I've been helping customers with Microsoft Entra ID (Azure AD) for over a decade and I worked in the Microsoft Identity product group for four of those years. This blog is to discuss topics I feel would benefit from more clarity and guidance, and to give my views on common problems I have seen over the years. If you have any ideas for topics you would like to see covered, then do reach out.
KQL hacks — from a path to folder structure for Azure Monitor Workbooks tree visualization - I was in the need for generating a list of all possible path derived from a single path. I tried a lot, some queries I made made me really proud, but looking back at them now, I see myself winding up into a corner where a lot made sense, then, and only then. From over here, where I have the solution to my goal — I know I could have saved a lot of time. Now, for what? I love these rabbit holes and where they take me, those dungeons are stuffed with fun things and intriguing artefacts for every nerd. But the “doh” in the end is priceless! Let’s get to business…
Automating Email Notifications for Azure KQL Rule using Azure Logic Apps - In today’s fast-paced digital landscape, staying ahead of potential threats and system updates is crucial for maintaining the security and efficiency of your Azure environment. With the power of Azure Logic Apps, you can automate email notifications to ensure that you never miss out on critical events, such as when a KQL (Kusto Query Language) rule is triggered. In this guide, we’ll walk you through the steps to set up a Logic App that sends email notifications when a KQL rule is triggered, helping you stay informed and proactive in managing your Azure resources.
Updates and Blog posts from Microsoft
While this newsletter primarily updates on last month's topics, it's essential to highlight the now generally available Microsoft Copilot for Security. You can find a lot of information here: Microsoft Copilot for Security: General Availability details and here: Improving Threat Hunting Efficiency using Copilot for Security.
Four Strategies for Cost-Effective Azure Monitoring and Log Analytics - This blog post emphasizes how leveraging Kusto Query Language (KQL) for data transformations can significantly reduce storage and ingestion costs. The guide is a valuable resource for anyone looking to refine their Azure monitoring practices, ensuring efficient data management while maintaining high performance and data integrity.
Azure Arc, Azure Monitoring and Azure Workbooks - This post is about leveraging Azure Arc, Azure Monitoring, and Azure Workbooks for comprehensive monitoring and management of hybrid virtual machines connected to Azure. It highlights the significance of creating a strategic plan for monitoring, including server inventory listing, resource group planning, and detailed monitoring requirements. The article also underscores the importance of using Kusto Query Language (KQL) for log analytics, which is crucial for extracting actionable insights and ensuring optimal performance across hybrid environments.
Latest Queries from the Community
Bert-Jan Pals - Twitter & GitHub
Alex Verboon - Twitter & GitHub
Thomas Naunheim - Twitter & GitHub
Jose Sebastián Canós - Twitter & GitHub
Dns Events DNS Query Resolved To Palo Alto Networks Skinhole
Device Network Events Suspicious Process Connection To Cloudfrount Domain
Device Network Events Suspicious Connection By COM Surrogate
Device Network Events Suspicious Process Connection To Cloudfront Domain
Matt Zorich - Twitter & GitHub
Michalis Michalos - Twitter & GitHub
Ali Hussein - Twitter & GitHub
Important resources
Learn KQL with the Must Learn KQL series and book
KQLQuery.com - Blog posts about KQL and different use cases
KQLSearch.com - Search Engine for KQL Queries
Log Analytics Demo Lab: aka.ms/LADemo
Socials
Bert-Jan Pals
Blog | Twitter | LinkedIn | GitHub
Ugur Koc