KQL Migrator powered by Microsoft Security Copilot
Overview A couple of weeks ago, Hesham and Hiten attended an internal Global Blackbelt summit in Redmond. Unfortunately, we encountered bad weather due to a “Bomb Cyclone”. Consequently, many people within the Washington State area were left without essential services such as electricity and running water. The Microsoft Campus was converted into a temporary relief center, leading to the rescheduling of our sessions for the day. Fortunately, we were staying at a hotel equipped with a backup generator, running water, and heating. We borrowed a whiteboard and spent the next few hours discussing the migration from 3 rd party solutions and mainly different query-based languages to Microsoft Sentinel – Defender XDR and KQL (Kusto Query Language) SIEM migrations are always a challenging process that requires meticulous planning and a thorough understanding of the existing setup in the legacy SIEM and what needs to be migrated to the modern SIEM. Our primary discussion point was how we can efficiently assist organizations in translating detection rules from query-based languages like AQL (Ariel Query Languages) to KQL (Kusto Query Language) and to help organizations mainly SOC teams to convert their YARA rules, STIX II and OpenIOC intel to KQL format We identified two options: Convert AQL to KQL Convert YARA to KQL Convert STIX II and OpenIOC intel to KQL Both options require specialized skills and can be cumbersome to complete. Firstly, the user would need to understand precisely how AQL maps to KQL and second option require through knowledge of the syntax used in YARA generation. Both of these are niche skills. One thing to point out here that we are not experts in query language like AQL and YARA Rules, we know how to export the detection rules in CVE format, our combined knowledge of AQL is also limited and would be considered basic at best. We quickly realized that AQL is similar to SQL and consequently KQL. We have the following AQL Code: Select sourceip, destinationip, "Process Name" FROM events WHERE "Process Name" IMATCHES '.*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*|' GROUP BY "Process Name",sourceip LAST 3 DAYS This query aims to track the use of specific executables for administrative or potentially malicious activities. By grouping results by process name and source IP, it helps detect patterns or anomalies that may indicate security incidents or policy violations. Using Microsoft Security Copilot What if we could get Security Copilot to firstly explain the code and then convert it to Kusto? We used the following prompt: /askGPT I am planning a SIEM migration from AQL query based to Microsoft Sentinel KQL. As AQL expert can you create a detailed summary that explains the following AQL query in square brackets [ Select sourceip, destinationip, "Process Name" FROM events WHERE "Process Name" IMATCHES '.*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*|' GROUP BY "Process Name",sourceip LAST 3 DAYS] Below is the OUTPUT Detailed Summary of AQL Query Breakdown Query Overview The provided AQL query is designed to search for specific process names within event logs and return the source and destination IP addresses associated with those processes. Here's a detailed breakdown of the query: AQL Query Breakdown Select Clause: sourceip: The source IP address from which the event originated. destinationip: The destination IP address to which the event was directed. "Process Name": The name of the process involved in the event. From Clause: events: The dataset or table from which the query is retrieving data. Where Clause: "Process Name" IMATCHES '.*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*': This condition filters events to include only those where the process name matches any of the specified patterns. TheIMATCHESoperator is used for case-insensitive regular expression matching. Group By Clause: "Process Name", sourceip: The results are grouped by the process name and source IP address. Time Range: LAST 3 DAYS: The query is limited to events that occurred within the last three days. Summary This AQL query is designed to identify and group events based on specific process names that are often associated with suspicious or malicious activity. By focusing on these processes, the query helps in monitoring and investigating potential security incidents. The results provide insights into the source and destination IP addresses involved, which can be crucial for further analysis and response. The query returns the process name, source IP, and destination IP for events matching the specified process names, grouped by process name and source IP, within the last three days. This next step to see if Security Copilot can help convert the AQL to something that is mapped to Microsoft Sentinel Kusto Query Language: Can you analyze the AQL query above and map it to KQL, it is important to ensure that the mapping directly correlates to the schema in KQL. Can you also show the output of the query in a table. Present the mappings in a table: KQL Query and Output KQL Query Mapping DeviceProcessEvents | where TimeGenerated >= ago(3d) | where InitiatingProcessFileName matches regex @'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*' | summarize by InitiatingProcessFileName Query Output InitiatingProcessFileName csc.exe gpupdate.exe microsoftedgeupdate.exe msiexec.exe schtasks.exe sc.exe cscript.exe rundll32.exe makecab.exe route.exe Row Counts Total Rows: 10 Displayed Rows: 10 Product Name Product: Sentinel You can download the following from Microsoft Security Copilot official Github repo, thanks Sean_Wasonga for supporting the automated deployment package. KQL Migrator Azure Logic App Code file : Click here o Make sure to replace the following with your tenant's correct information: <subscription-ID> <ResourceGroup-Name> Sample AQL queries / YARA rules: Click here The extended team highlighted the importance of considering YARA rules for uniformity. Given that expertise in YARA rule generation was lacking, Security Copilot as again consulted: /askGPT Can you explain what a YAYA rule is with an example A YARA rule is a type of rule used in cybersecurity to identify and classify malware samples. YARA, which stands for "Yet Another Recursive Acronym," is a tool aimed at helping malware researchers identify and classify malware. YARA rules are written in a specific syntax and are used to describe patterns that can be found in files or processes. Example of a YARA Rule Here is a simple example of a YARA rule that detects a file containing the string "malicious": rule ExampleRule { meta: description = "This rule detects files containing the string 'malicious'" author = "Security Researcher" date = "2024-12-09" strings: $malicious_string = "malicious" condition: $malicious_string } So we have a base understand of what a YARA rule is and its typical format. The step is can we use Security Copilot to convert the YARA into a KQL Rule: We used the following prompt: As a YARA rule expert, can you take the above KQL query generated and create a KQL rule? rule Suspicious_Process_Execution { meta: description = "Detects execution of potentially suspicious processes" author = "Security Analyst" date = "2023-10-01" strings: $atbroker = /(?i).*atbroker\.exe.*/ $bash = /(?i).*bash\.exe.*/ $bitsadmin = /(?i).*bitsadmin\.exe.*/ $certutil = /(?i).*certutil\.exe.*/ $cmdkey = /(?i).*cmdkey\.exe.*/ $cmstp = /(?i).*cmstp\.exe.*/ $control = /(?i).*control\.exe.*/ $csc = /(?i).*csc\.exe.*/ $cscript = /(?i).*cscript\.exe.*/ $dfsvc = /(?i).*dfsvc\.exe.*/ $diskshadow = /(?i).*diskshadow\.exe.*/ $dnscmd = /(?i).*dnscmd\.exe.*/ $esentutl = /(?i).*esentutl\.exe.*/ $eventvwr = /(?i).*eventvwr\.exe.*/ $expand = /(?i).*expand\.exe.*/ $extexport = /(?i).*extexport\.exe.*/ $extrac32 = /(?i).*extrac32\.exe.*/ $findstr = /(?i).*findstr\.exe.*/ $forfiles = /(?i).*forfiles\.exe.*/ $ftp = /(?i).*ftp\.exe.*/ $gpscript = /(?i).*gpscript\.exe.*/ $hh = /(?i).*hh\.exe.*/ $ie4uinit = /(?i).*ie4uinit\.exe.*/ $ieexec = /(?i).*ieexec\.exe.*/ $infdefaultinstall = /(?i).*infdefaultinstall\.exe.*/ $installutil = /(?i).*installutil\.exe.*/ $makecab = /(?i).*makecab\.exe.*/ $reg = /(?i).*reg\.exe.*/ $print = /(?i).*print\.exe.*/ $presentationhost = /(?i).*presentationhost\.exe.*/ $pcwrun = /(?i).*pcwrun\.exe.*/ $pcalua = /(?i).*pcalua\.exe.*/ $odbcconf = /(?i).*odbcconf\.exe.*/ $msiexec = /(?i).*msiexec\.exe.*/ $mshta = /(?i).*mshta\.exe.*/ $msdt = /(?i).*msdt\.exe.*/ $msconfig = /(?i).*msconfig\.exe.*/ $msbuild = /(?i).*msbuild\.exe.*/ $mmc = /(?i).*mmc\.exe.*/ $microsoft_workflow_compiler = /(?i).*microsoft\.workflow\.compiler\.exe.*/ $mavinject = /(?i).*mavinject\.exe.*/ $vsjitdebugger = /(?i).*vsjitdebugger\.exe.*/ $tracker = /(?i).*tracker\.exe.*/ $te = /(?i).*te\.exe.*/ $sqltoolsps = /(?i).*sqltoolsps\.exe.*/ $sqlps = /(?i).*sqlps\.exe.*/ $sqldumper = /(?i).*sqldumper\.exe.*/ $rcsi = /(?i).*rcsi\.exe.*/ $msxsl = /(?i).*msxsl\.exe.*/ $msdeploy = /(?i).*msdeploy\.exe.*/ $mftrace = /(?i).*mftrace\.exe.*/ $dxcap = /(?i).*dxcap\.exe.*/ $dnx = /(?i).*dnx\.exe.*/ $csi = /(?i).*csi\.exe.*/ $cdb = /(?i).*cdb\.exe.*/ $bginfo = /(?i).*bginfo\.exe.*/ $appvlp = /(?i).*appvlp\.exe.*/ $xwizard = /(?i).*xwizard\.exe.*/ $wsreset = /(?i).*wsreset\.exe.*/ $wscript = /(?i).*wscript\.exe.*/ $wmic = /(?i).*wmic\.exe.*/ $wab = /(?i).*wab\.exe.*/ $verclsid = /(?i).*verclsid\.exe.*/ $syncappvpublishingserver = /(?i).*syncappvpublishingserver\.exe.*/ $scriptrunner = /(?i).*scriptrunner\.exe.*/ $schtasks = /(?i).*schtasks\.exe.*/ $sc = /(?i).*sc\.exe.*/ $runscripthelper = /(?i).*runscripthelper\.exe.*/ $runonce = /(?i).*runonce\.exe.*/ $rundll32 = /(?i).*rundll32\.exe.*/ $rpcping = /(?i).*rpcping\.exe.*/ $replace = /(?i).*replace\.exe.*/ $regsvr32 = /(?i).*regsvr32\.exe.*/ $regsvcs = /(?i).*regsvcs\.exe.*/ $register_cimprovider = /(?i).*register-cimprovider\.exe.*/ $regedit = /(?i).*regedit\.exe.*/ $regasm = /(?i).*regasm\.exe.*/ condition: any of ($atbroker, $bash, $bitsadmin, $certutil, $cmdkey, $cmstp, $control, $csc, $cscript, $dfsvc, $diskshadow, $dnscmd, $esentutl, $eventvwr, $expand, $extexport, $extrac32, $findstr, $forfiles, $ftp, $gpscript, $hh, $ie4uinit, $ieexec, $infdefaultinstall, $installutil, $makecab, $reg, $print, $presentationhost, $pcwrun, $pcalua, $odbcconf, $msiexec, $mshta, $msdt, $msconfig, $msbuild, $mmc, $microsoft_workflow_compiler, $mavinject, $vsjitdebugger, $tracker, $te, $sqltoolsps, $sqlps, $sqldumper, $rcsi, $msxsl, $msdeploy, $mftrace, $dxcap, $dnx, $csi, $cdb, $bginfo, $appvlp, $xwizard, $wsreset, $wscript, $wmic, $wab, $verclsid, $syncappvpublishingserver, $scriptrunner, $schtasks, $sc, $runscripthelper, $runonce, $rundll32, $rpcping, $replace, $regsvr32, $regsvcs, $register_cimprovider, $regedit, $regasm) } KQL Rule Based on YARA Rule DeviceProcessEvents | where Timestamp >= ago(3d) | where InitiatingProcessFileName matches regex @'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ieuinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*' | summarize by InitiatingProcessFileName We now have a method to efficiently convert a detection rule from a legacy SIEM to one that is compatible with Microsoft Sentinel . The next step is understanding how a user can implement this in Sentinel. It is important to consider that the user may need to acquaint themselves with the new SIEM or hire a contractor. Since a contractor wasn’t available, given the circumstances, we decided to ask Security Copilot: Can you create a change control document that shows the steps required to create the detection rule for the KQL query generated above in sentinel. Also include the required level of access to make such a change. Ensure rollback is included. Change Control Document: Creating a Detection Rule in Microsoft Sentinel Change Request Details Change Request ID: [To be assigned] Change Title: Create Detection Rule for Suspicious Process Execution Change Description: Implement a detection rule in Microsoft Sentinel based on the provided KQL query to monitor for suspicious process executions. Steps to Implement the Change Log in to Azure Portal: Navigate to the Azure portal (https://portal.azure.com). Ensure you have the necessary permissions to access Microsoft Sentinel. Access Microsoft Sentinel: In the Azure portal, search for "Microsoft Sentinel" and select the appropriate workspace. Create a New Analytics Rule: Go to the "Analytics" section in the Microsoft Sentinel workspace. Click on "Create" and select "Scheduled query rule." Define Rule Details: Name: Suspicious Process Execution Detection Description: Detects execution of potentially suspicious processes based on the provided KQL query. Severity: High Tactics: Execution Set Rule Logic: Query: Copy and paste the following KQL query: DeviceProcessEvents | where TimeGenerated >= ago(3d) | where InitiatingProcessFileName matches regex @'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*diskshadow\.exe.*|.*dnscmd\.exe.*|.*esentutl\.exe.*|.*eventvwr\.exe.*|.*expand\.exe.*|.*extexport\.exe.*|.*extrac32\.exe.*|.*findstr\.exe.*|.*forfiles\.exe.*|.*ftp\.exe.*|.*gpscript\.exe.*|.*hh\.exe.*|.*ie4uinit\.exe.*|.*ieexec\.exe.*|.*infdefaultinstall\.exe.*|.*installutil\.exe.*|.*makecab\.exe.*|.*reg\.exe.*|.*print\.exe.*|.*presentationhost\.exe.*|.*pcwrun\.exe.*|.*pcalua\.exe.*|.*odbcconf\.exe.*|.*msiexec\.exe.*|.*mshta\.exe.*|.*msdt\.exe.*|.*msconfig\.exe.*|.*msbuild\.exe.*|.*mmc\.exe.*|.*microsoft.workflow.compiler\.exe.*|.*mavinject\.exe.*|.*vsjitdebugger\.exe.*|.*tracker\.exe.*|.*te\.exe.*|.*sqltoolsps\.exe.*|.*sqlps\.exe.*|.*sqldumper\.exe.*|.*rcsi\.exe.*|.*msxsl\.exe.*|.*msdeploy\.exe.*|.*mftrace\.exe.*|.*dxcap\.exe.*|.*dnx\.exe.*|.*csi\.exe.*|.*cdb\.exe.*|.*bginfo\.exe.*|.*appvlp\.exe.*|.*xwizard\.exe.*|.*wsreset\.exe.*|.*wscript\.exe.*|.*wmic\.exe.*|.*wab\.exe.*|.*verclsid\.exe.*|.*syncappvpublishingserver\.exe.*|.*scriptrunner\.exe.*|.*schtasks\.exe.*|.*sc\.exe.*|.*runscripthelper\.exe.*|.*runonce\.exe.*|.*rundll32\.exe.*|.*rpcping\.exe.*|.*replace\.exe.*|.*regsvr32\.exe.*|.*regsvcs\.exe.*|.*register-cimprovider\.exe.*|.*regedit\.exe.*|.*regasm\.exe.*' | summarize by InitiatingProcessFileName Query Frequency: 5 minutes Query Period: 3 days Set Alert Details: Alert Rule Name: Suspicious Process Execution Detected Description: Alerts when a suspicious process execution is detected. Severity: High Tactics: Execution Configure Automated Response (Optional): Add any playbooks or automated responses if required. Review and Create: Review the rule configuration. Click "Create" to save and activate the rule. Required Access Level Role: Security Administrator or Sentinel Contributor Permissions: Read and write access to Microsoft Sentinel Ability to create and manage analytics rules Rollback Plan Log in to Azure Portal: Navigate to the Azure portal (https://portal.azure.com). Access Microsoft Sentinel: In the Azure portal, search for "Microsoft Sentinel" and select the appropriate workspace. Delete the Analytics Rule: Go to the "Analytics" section in the Microsoft Sentinel workspace. Locate the "Suspicious Process Execution Detection" rule. Select the rule and click "Delete." Verify Deletion: Ensure the rule is no longer listed in the "Analytics" section. Document the Rollback: Update the change control document to reflect the rollback action. Approval Change Approver: [To be assigned] Approval Date: [To be assigned] Implementation Date Scheduled Date: [To be assigned] Implementation Time: [To be assigned] Rollback Date Scheduled Date: [To be assigned] Rollback Time: [To be assigned] As you can see with the above methods, we have the option now to create a prompt book which can be manually run to efficiently convert AQL to either KQL or YARA. But since we had more time to play with, we decide to see if we could do this task in an automated fashion using logic apps. We exported the AQL queries and imported them directly into Watchlists within Sentinel: Clicking on view logs shows AQLPayLoad stored in the _GetWatchlist('AQL2KQL') table: Since we have this watch list now imported, it simply will not work as the syntax of AQL is not understood by Sentinel: We now have the option of getting Copilot to carry out the conversion via a Logic App so in theory we just have to upload the watch list and let the logic app do the conversation. Conclusion and Consideration So, we've explored how Security Copilot Azure Logic App connector and Promptbooks revolutionizes the integration of AI-driven security solutions into current workflows. This tool not only provides greater customization and smoother system integration but also access to a broader range of ready-made Azure logic security tools integration. We encourage you to experience the efficiency of the Security Copilot Azure Logic App connector in enhancing your security operations. Whilst investigating and understanding AQL/YARA we did not leave the copilot platform You can customize the Logic App by automatically creating the Microsoft Sentinel analytics rules via the API If Logic Apps are not suitable, consider adding a step to create control documentation within the promptbook. Authors Hesham Saad - Sr Cybersecurity Global Blackbelt Hiten Sharma – Sr Cybersecurity Global BlackbeltLeveraging ASIM-based KQL plugins in Microsoft Security Copilot for investigation scenarios
Microsoft Security Copilot enhances the capabilities of Microsoft Sentinel by providing an AI-driven assistant that can help interpret complex hunting query outputs in Log Analytics. One of the standout features of Security Copilot is its support for KQL-based custom plugins to put the power of customization in the customers’ hands by allowing them to leverage new or existing hunting queries to bring additional context into Security Copilot sessions. ASIM-based queries further strengthen this value proposition by building detection logic on top of normalized, source agnostic data. Advanced Information Security Model (ASIM) In the ever-evolving landscape of cybersecurity, the need for robust and adaptable security models is paramount. Microsoft Sentinel's Advanced Information Security Model (ASIM) is designed to address this need by providing a comprehensive framework for normalizing and analyzing security data across various sources. Key Benefits of ASIM Cross-Source Detection: ASIM enables the creation of analytics rules that work across multiple data sources, allowing for comprehensive threat detection. For example, it can detect brute force attacks across on-premises and cloud systems. In this scenario we are tapping into the Network Sessions schema which brings together data from up to 16 distinct sources, such as Palo Alto, CISCO, Fortinet, Checkpoint and Zscaler among others. Source-Agnostic Content: Content created using ASIM automatically applies to any source that supports the model, even if the source is added after the content is created. This makes the solution more durable as an enterprise organization can add more security solutions, while leveraging the same queries Simplified Querying: By using ASIM views in queries, users can ensure they are querying all relevant normalized information in a consistent and well-documented schema. Support for custom logs: ASIM makes it possible to support custom logs in built-in content. This means that an ASIM-based KQL plugin will support any source that you normalize, without the need to modify the plug-in. Leveraging Security Copilot with ASIM-based KQL-Based Custom Plugins One of the key benefits of ASIM is that it allows us to build detection or hunting queries that are source-agnostic. For example, building a rule based on the Network Sessions schema of ASIM, we can unify alerts from as many normalized sources as are present into just one rule, making the building, usage and maintenance of the rule much more efficient. In this scenario we are leveraging a rule based on the Network Sessions schema to investigate potential beaconing activity, ingest filtered events into Security Copilot and correlate those events with additional 1 st and third-party data to aid in reaching a verdict about an investigation. By using custom plugins, Security Copilot can automate the interpretation of complex investigation tasks by contributing AI insights across the process, leading to a quicker and better reasoned conclusion, especially for the less experienced analysts. Sample ASIM Query to detect network beaconing activity In this instance the raw query output is relatively complex to decipher and requires the analyst to dig into the details of the output to reach a conclusion about what the output indicates or why the results may indicate suspicious activity. Security Copilot to the rescue When Security Copilot is brought into the picture it can quickly analyze the above output and present a verdict and an explanation that is easy and quick to comprehend. Let’s see how: To conduct the investigation, we step through this promptbook while highlighting the prompts that collectively augment the analyst during the investigation: 1. As a first step, the threat analyst will want to retrieve the data from Sentinel to investigate its details. This can be in a threat hunting or incident investigation scenario: 2. The second prompt returns the AI-generated verdict and explanation of the query output 3. Device investigation In this step we identify the source device using the ASIM query and investigate it for its posture and any relevant suspicious activity plugin 4. Finally, Security Copilot stitches together all the findings correlated from multiple sources and following the summarization prompt, produces the below output: Session Summary from final prompt Investigation Summary Network Beaconing Activity Detected: Potential network beaconing activity over the past 7 days. Details: Regular communication between172.31.44.214and40.78.253.213with a frequent time delta of 60 seconds. Beacon Percentages: High, often close to or at 100%. MITRE Tactics and Techniques: Tactic: Command and Control Techniques: T1071 - Application Layer Protocol T1571 - Non Standard Port Destination IP Information IP Address:40.78.253.213 Organization: Microsoft Corporation Location: Moses Lake, Washington, US Potential Risks: Despite being associated with a reputable organization, the regular communication pattern suggests potential C2 activity. Device Information Device Name: EC2AMAZ-9MDSBS4 Operating System: Windows 10.0.20348.2031 Management State: Managed Compliance State: Unknown Manufacturer: Xen Model: HVM domU Device Registration State: Registered Rare Processes Executed: No rare processes executed on the device over the past 7 days. Opinion and Recommendations Further Investigation Needed Yes, further investigation is needed due to the following reasons: Suspicious Network Activity: The regular and frequent communication pattern between the source and destination IPs is indicative of potential beaconing activity, which is a common sign of a compromised system communicating with a C2 server. Unknown Compliance State: The compliance state of the device is unknown, which raises concerns about whether the device adheres to security policies and standards. Areas to Focus On Network Traffic Analysis: Conduct a deeper analysis of the network traffic to confirm the nature of the communication and identify any additional indicators of compromise. Device Compliance Check: Verify the compliance state of the device and ensure it meets all security policies and standards. Endpoint Security: Investigate the endpoint security measures in place on the device to detect and mitigate any potential threats. These steps are crucial to ensure the security and integrity of the network and devices involved. Tip Even though the query behind the first prompt is hardcoded, the flexibility of AI allows us to ask ad hoc questions without altering the KQL query that retrieves the original records. For example, the initial prompt can be modified to meet slightly different retrieval criteria as shown below: uery parameters can me altered in natural language without modifying the underlying KQL query Conclusion In this scenario we see how Security Copilot addresses the challenge of tool fragmentation and Mean Time to Resolution by bringing together insights from multiple sources, cutting across 1st party, 3rd party and custom plugins, adding AI enrichment and providing a recommendation, all in a little over two and half minutes. Try out the solution and let us have your feedback on how we can make it better. Plugin manifests The custom plugins used in this scenario can be found in our official GitHub repo under following links. Feel free to reuse these plugins or adapt them to your specific requirements ASIM plugin Rare process plugin Additional resources Normalization and the Advanced Security Information Model (ASIM) | Microsoft Learn Kusto Query Language (KQL) plugins in Microsoft Security Copilot | Microsoft Learn What’s New: Introducing Microsoft Sentinel Network Session Essentials solution | Microsoft Community Hub Microsoft Security Copilot in Microsoft Defender Threat Intelligence - Microsoft Defender | Microsoft LearnUse LogicApps and Copilot for Security to auto-process ISAC Emails
Information Sharing and Analysis Center (ISAC) is an organization that provides a central resource for gathering information on and related threats to critical infrastructure and plays a critical role in safeguarding industries from emerging threats. By bridging the gap between private and public sectors, ISACs provide timely and actionable intelligence on vulnerabilities that impact critical infrastructure. However, manually processing the ISAC threat bulletins can be overwhelming and slow, leaving security teams scrambling to respond in time. This document explores how leveraging automation through Logic Apps and Microsoft's Copilot for Security can streamline ISAC email processing, empowering organizations to respond to vulnerabilities faster and more effectively.Identity forensics with Copilot for Security Identity Analyst Plugin
Microsoft Copilot for Securityis a platform that brings together the power of AI and human expertise to help administrators and security teams respond to attacks faster and more effectively. Copilot for Security is embedded in Microsoft Entra so you can investigate and resolve identity risks, assess identities and access with AI-driven intelligence, and complete complex tasks quickly. Microsoft Copilot in Microsoft Entra gets insights from your Microsoft Entra users, groups, sign-in logs, audit logs, and more. You can explore sign-ins and risky users and get contextualized insights on how to resolve incidents and what to do to protect the accounts in natural language. Built on top of real-time machine learning, Copilot in Microsoft Entra can help you find gaps in access policies, generate identity workflows, and troubleshoot faster. You can also unlock new skills that allow admins at all levels to complete complex tasks such as incident investigation, sign-in log analysis, and more, to gain savings in time and resources.
