KQL Migrator powered by Microsoft Security Copilot

Overview

A couple of weeks ago, Hesham and Hiten attended an internal Global Blackbelt summit in Redmond. Unfortunately, we encountered bad weather due to a “Bomb Cyclone”. Consequently, many people within the Washington State area were left without essential services such as electricity and running water. The Microsoft Campus was converted into a temporary relief center, leading to the rescheduling of our sessions for the day.

Fortunately, we were staying at a hotel equipped with a backup generator, running water, and heating. We borrowed a whiteboard and spent the next few hours discussing the migration from 3^rd party solutions and mainly different query-based languages to Microsoft Sentinel – Defender XDR and KQL (Kusto Query Language)

SIEM migrations are always a challenging process that requires meticulous planning and a thorough understanding of the existing setup in the legacy SIEM and what needs to be migrated to the modern SIEM. Our primary discussion point was how we can efficiently assist organizations in translating detection rules from query-based languages like AQL (Ariel Query Languages) to KQL (Kusto Query Language) and to help organizations mainly SOC teams to convert their YARA rules, STIX II and OpenIOC intel to KQL format

 

We identified three options:

• Convert AQL to KQL
• Convert YARA to KQL
• Convert STIX II and OpenIOC intel to KQL

All three options require specialized skills and can be cumbersome to complete. For example, the user would need to understand precisely how AQL maps to KQL and second option require through knowledge of the syntax used in YARA generation. Both of these are niche skills, the same also applies to STIX II.

 

One thing to point out here that we are not experts in query language like AQL and YARA Rules, we know how to export the detection rules in CVE format, our combined knowledge of AQL is also limited and would be considered basic at best.  

We quickly realized that AQL is similar to SQL and consequently KQL.

We had the following AQL Code:

Select sourceip, destinationip, "Process Name" FROM events WHERE "Process Name" IMATCHES '.*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*|' GROUP BY "Process Name",sourceip LAST 3 DAYS

 

This query aims to track the use of specific executables for administrative or potentially malicious activities. By grouping results by process name and source IP, it helps detect patterns or anomalies that may indicate security incidents or policy violations.

 

Using Microsoft Security Copilot

What if we could get Security Copilot to firstly explain the code and then convert it to Kusto?

We used the following prompt:

 

/askGPT I am planning a SIEM migration from AQL query based to Microsoft Sentinel KQL. As AQL expert can you create a detailed summary that explains the following AQL query in square brackets [ Select sourceip, destinationip, "Process Name" FROM events WHERE "Process Name" IMATCHES '.*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*|' GROUP BY "Process Name",sourceip LAST 3 DAYS]

 

Below is the OUTPUT

Detailed Summary of AQL Query Breakdown

Query Overview

The provided AQL query is designed to search for specific process names within event logs and return the source and destination IP addresses associated with those processes. Here's a detailed breakdown of the query:

AQL Query Breakdown

• Select Clause:

• sourceip: The source IP address from which the event originated.
• destinationip: The destination IP address to which the event was directed.
• "Process Name": The name of the process involved in the event.

• From Clause:

• events: The dataset or table from which the query is retrieving data.

• Where Clause:

• "Process Name" IMATCHES '.*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*': This condition filters events to include only those where the process name matches any of the specified patterns. The IMATCHES operator is used for case-insensitive regular expression matching.

• Group By Clause:

• "Process Name", sourceip: The results are grouped by the process name and source IP address.

• Time Range:

• LAST 3 DAYS: The query is limited to events that occurred within the last three days.

Summary

This AQL query is designed to identify and group events based on specific process names that are often associated with suspicious or malicious activity. By focusing on these processes, the query helps in monitoring and investigating potential security incidents. The results provide insights into the source and destination IP addresses involved, which can be crucial for further analysis and response.

The query returns the process name, source IP, and destination IP for events matching the specified process names, grouped by process name and source IP, within the last three days.

 

This next step to see if Security Copilot can help convert the AQL to something that is mapped to Microsoft Sentinel Kusto Query Language:

Can you analyze the AQL query above and map it to KQL, it is important to ensure that the mapping directly correlates to the schema in KQL. Can you also show the output of the query in a table. Present the mappings in a table:

 

KQL Query and Output

KQL Query Mapping

DeviceProcessEvents | where TimeGenerated >= ago(3d) | where InitiatingProcessFileName matches regex @'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*' | summarize by InitiatingProcessFileName

 

Query Output

Row Counts

• Total Rows: 10
• Displayed Rows: 10

Product Name

• Product: Sentinel

 

The extended team highlighted the importance of considering YARA rules for uniformity. Given that expertise in YARA rule generation was lacking, Security Copilot as again consulted:  

 

/askGPT Can you explain what a YAYA rule is with an example

A YARA rule is a type of rule used in cybersecurity to identify and classify malware samples. YARA, which stands for "Yet Another Recursive Acronym," is a tool aimed at helping malware researchers identify and classify malware. YARA rules are written in a specific syntax and are used to describe patterns that can be found in files or processes.

Example of a YARA Rule

Here is a simple example of a YARA rule that detects a file containing the string "malicious":

rule ExampleRule

{

    meta:

        description = "This rule detects files containing the string 'malicious'"

        author = "Security Researcher"

        date = "2024-12-09"

 

    strings:

        $malicious_string = "malicious"

 

    condition:

        $malicious_string

}

 

So we have a base understand of what a YARA rule is and its typical format. The step is can we use Security Copilot to convert the YARA into a KQL Rule:

 

We used the following prompt:

 

As a YARA rule expert, can you take the above KQL query generated and create a KQL rule? rule Suspicious_Process_Execution { meta: description = "Detects execution of potentially suspicious processes" author = "Security Analyst" date = "2023-10-01" strings: $atbroker = /(?i).*atbroker\.exe.*/ $bash = /(?i).*bash\.exe.*/ $bitsadmin = /(?i).*bitsadmin\.exe.*/ $certutil = /(?i).*certutil\.exe.*/ $cmdkey = /(?i).*cmdkey\.exe.*/ $cmstp = /(?i).*cmstp\.exe.*/ $control = /(?i).*control\.exe.*/ $csc = /(?i).*csc\.exe.*/ $cscript = /(?i).*cscript\.exe.*/ $dfsvc = /(?i).*dfsvc\.exe.*/ $diskshadow = /(?i).*diskshadow\.exe.*/ $dnscmd = /(?i).*dnscmd\.exe.*/ $esentutl = /(?i).*esentutl\.exe.*/ $eventvwr = /(?i).*eventvwr\.exe.*/ $expand = /(?i).*expand\.exe.*/ $extexport = /(?i).*extexport\.exe.*/ $extrac32 = /(?i).*extrac32\.exe.*/ $findstr = /(?i).*findstr\.exe.*/ $forfiles = /(?i).*forfiles\.exe.*/ $ftp = /(?i).*ftp\.exe.*/ $gpscript = /(?i).*gpscript\.exe.*/ $hh = /(?i).*hh\.exe.*/ $ie4uinit = /(?i).*ie4uinit\.exe.*/ $ieexec = /(?i).*ieexec\.exe.*/ $infdefaultinstall = /(?i).*infdefaultinstall\.exe.*/ $installutil = /(?i).*installutil\.exe.*/ $makecab = /(?i).*makecab\.exe.*/ $reg = /(?i).*reg\.exe.*/ $print = /(?i).*print\.exe.*/ $presentationhost = /(?i).*presentationhost\.exe.*/ $pcwrun = /(?i).*pcwrun\.exe.*/ $pcalua = /(?i).*pcalua\.exe.*/ $odbcconf = /(?i).*odbcconf\.exe.*/ $msiexec = /(?i).*msiexec\.exe.*/ $mshta = /(?i).*mshta\.exe.*/ $msdt = /(?i).*msdt\.exe.*/ $msconfig = /(?i).*msconfig\.exe.*/ $msbuild = /(?i).*msbuild\.exe.*/ $mmc = /(?i).*mmc\.exe.*/ $microsoft_workflow_compiler = /(?i).*microsoft\.workflow\.compiler\.exe.*/ $mavinject = /(?i).*mavinject\.exe.*/ $vsjitdebugger = /(?i).*vsjitdebugger\.exe.*/ $tracker = /(?i).*tracker\.exe.*/ $te = /(?i).*te\.exe.*/ $sqltoolsps = /(?i).*sqltoolsps\.exe.*/ $sqlps = /(?i).*sqlps\.exe.*/ $sqldumper = /(?i).*sqldumper\.exe.*/ $rcsi = /(?i).*rcsi\.exe.*/ $msxsl = /(?i).*msxsl\.exe.*/ $msdeploy = /(?i).*msdeploy\.exe.*/ $mftrace = /(?i).*mftrace\.exe.*/ $dxcap = /(?i).*dxcap\.exe.*/ $dnx = /(?i).*dnx\.exe.*/ $csi = /(?i).*csi\.exe.*/ $cdb = /(?i).*cdb\.exe.*/ $bginfo = /(?i).*bginfo\.exe.*/ $appvlp = /(?i).*appvlp\.exe.*/ $xwizard = /(?i).*xwizard\.exe.*/ $wsreset = /(?i).*wsreset\.exe.*/ $wscript = /(?i).*wscript\.exe.*/ $wmic = /(?i).*wmic\.exe.*/ $wab = /(?i).*wab\.exe.*/ $verclsid = /(?i).*verclsid\.exe.*/ $syncappvpublishingserver = /(?i).*syncappvpublishingserver\.exe.*/ $scriptrunner = /(?i).*scriptrunner\.exe.*/ $schtasks = /(?i).*schtasks\.exe.*/ $sc = /(?i).*sc\.exe.*/ $runscripthelper = /(?i).*runscripthelper\.exe.*/ $runonce = /(?i).*runonce\.exe.*/ $rundll32 = /(?i).*rundll32\.exe.*/ $rpcping = /(?i).*rpcping\.exe.*/ $replace = /(?i).*replace\.exe.*/ $regsvr32 = /(?i).*regsvr32\.exe.*/ $regsvcs = /(?i).*regsvcs\.exe.*/ $register_cimprovider = /(?i).*register-cimprovider\.exe.*/ $regedit = /(?i).*regedit\.exe.*/ $regasm = /(?i).*regasm\.exe.*/ condition: any of ($atbroker, $bash, $bitsadmin, $certutil, $cmdkey, $cmstp, $control, $csc, $cscript, $dfsvc, $diskshadow, $dnscmd, $esentutl, $eventvwr, $expand, $extexport, $extrac32, $findstr, $forfiles, $ftp, $gpscript, $hh, $ie4uinit, $ieexec, $infdefaultinstall, $installutil, $makecab, $reg, $print, $presentationhost, $pcwrun, $pcalua, $odbcconf, $msiexec, $mshta, $msdt, $msconfig, $msbuild, $mmc, $microsoft_workflow_compiler, $mavinject, $vsjitdebugger, $tracker, $te, $sqltoolsps, $sqlps, $sqldumper, $rcsi, $msxsl, $msdeploy, $mftrace, $dxcap, $dnx, $csi, $cdb, $bginfo, $appvlp, $xwizard, $wsreset, $wscript, $wmic, $wab, $verclsid, $syncappvpublishingserver, $scriptrunner, $schtasks, $sc, $runscripthelper, $runonce, $rundll32, $rpcping, $replace, $regsvr32, $regsvcs, $register_cimprovider, $regedit, $regasm) }

KQL Rule Based on YARA Rule

 

DeviceProcessEvents | where Timestamp >= ago(3d) | where InitiatingProcessFileName matches regex @'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ieuinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*' | summarize by InitiatingProcessFileName

 

We now have a method to efficiently convert a detection rule from a legacy SIEM to one that is compatible with Microsoft Sentinel . The next step is understanding how a user can implement this in Sentinel. It is important to consider that the user may need to acquaint themselves with the new SIEM or hire a contractor. Since a contractor wasn’t available, given the circumstances, we decided to ask Security Copilot:

Can you create a change control document that shows the steps required to create the detection rule for the KQL query generated above in sentinel. Also include the required level of access to make such a change. Ensure rollback is included.

Change Control Document: Creating a Detection Rule in Microsoft Sentinel

Change Request Details

• Change Request ID: [To be assigned]
• Change Title: Create Detection Rule for Suspicious Process Execution
• Change Description: Implement a detection rule in Microsoft Sentinel based on the provided KQL query to monitor for suspicious process executions.

Steps to Implement the Change

1. Log in to Azure Portal:
• Navigate to the Azure portal (https://portal.azure.com).
• Ensure you have the necessary permissions to access Microsoft Sentinel.
2. Access Microsoft Sentinel:
• In the Azure portal, search for "Microsoft Sentinel" and select the appropriate workspace.
3. Create a New Analytics Rule:
• Go to the "Analytics" section in the Microsoft Sentinel workspace.
• Click on "Create" and select "Scheduled query rule."
4. Define Rule Details:
• Name: Suspicious Process Execution Detection
• Description: Detects execution of potentially suspicious processes based on the provided KQL query.
• Severity: High
• Tactics: Execution
5. Set Rule Logic:
• Query: Copy and paste the following KQL query:

DeviceProcessEvents | where TimeGenerated >= ago(3d) | where InitiatingProcessFileName matches regex @'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*' | summarize by InitiatingProcessFileName

• Query Frequency: 5 minutes
• Query Period: 3 days
1. Set Alert Details:
• Alert Rule Name: Suspicious Process Execution Detected
• Description: Alerts when a suspicious process execution is detected.
• Severity: High
• Tactics: Execution
2. Configure Automated Response (Optional):
• Add any playbooks or automated responses if required.
3. Review and Create:
• Review the rule configuration.
• Click "Create" to save and activate the rule.

Required Access Level

• Role: Security Administrator or Sentinel Contributor
• Permissions:
• Read and write access to Microsoft Sentinel
• Ability to create and manage analytics rules

Rollback Plan

1. Log in to Azure Portal:
• Navigate to the Azure portal (https://portal.azure.com).
2. Access Microsoft Sentinel:
• In the Azure portal, search for "Microsoft Sentinel" and select the appropriate workspace.
3. Delete the Analytics Rule:
• Go to the "Analytics" section in the Microsoft Sentinel workspace.
• Locate the "Suspicious Process Execution Detection" rule.
• Select the rule and click "Delete."
4. Verify Deletion:
• Ensure the rule is no longer listed in the "Analytics" section.
5. Document the Rollback:
• Update the change control document to reflect the rollback action.

Approval

• Change Approver: [To be assigned]
• Approval Date: [To be assigned]

Implementation Date

• Scheduled Date: [To be assigned]
• Implementation Time: [To be assigned]

Rollback Date

• Scheduled Date: [To be assigned]
• Rollback Time: [To be assigned]

 

As you can see with the above methods, we have the option now to create a prompt book which can be manually run to efficiently convert AQL and YARA to KQL.

 

But since we had more time to play with, we decide to see if we could do this task in an automated fashion using logic apps.

The first step in this process was to create a simplified promptbooks that can be later invoked by a logic app:

 

We exported the AQL queries and imported them directly into Watchlists within Sentinel:

 

 

Clicking on view logs shows AQLPayLoad stored in the _GetWatchlist('AQL2KQL') table:

Since we have this watch list now imported, it simply will not work as the syntax of AQL is not understood by Sentinel:

We now need to design a logic app that can help do the conversation directly from the uploaded watchlist, it has to also invoke the relevant prompt book(s) created above:

 

We now have the option of getting Copilot to carry out the conversion via a Logic App so in theory we just have to upload the watch list and let the logic app do the conversation.

 

You can download the following from Microsoft Security Copilot official Github repo, thanks  for supporting the automated deployment package.

• KQL Migrator Azure Logic App Code file : Click here

o   Make sure to replace the following with your tenant's correct information:

• <subscription-ID>
• <ResourceGroup-Name>
• Sample AQL queries / YARA rules: Click here

Conclusion and Consideration

• So, we've explored how Security Copilot Azure Logic App connector and Promptbooks revolutionizes the integration of AI-driven security solutions into current workflows. This tool not only provides greater customization and smoother system integration but also access to a broader range of ready-made Azure logic security tools integration. We encourage you to experience the efficiency of the Security Copilot Azure Logic App connector in enhancing your security operations.
• Whilst investigating and understanding AQL/YARA we did not leave the copilot platform, we also found that it can convert to STIX II to as well
• You can customize the Logic App by automatically creating the Microsoft Sentinel analytics rules via the API
• If Logic Apps are not suitable, consider adding a step to create control documentation within the promptbook as shown above.

Authors

Hesham Saad - Sr Cybersecurity Global Blackbelt

Hiten Sharma – Sr Cybersecurity Global Blackbelt