User Profile
akshay25june
Copper Contributor
Joined 6 months ago
User Widgets
Recent Discussions
Sysmon /operational is not in Event table
Hi Team, Need to create usecase base onSysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table. Windows Binaries Lolbins Renamed KQL : Event | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1 | parse EventData with * 'Image">' Image "<" * 'OriginalFileName">' OriginalFileName "<" * | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'') Now same usecase need to be configured with the help of defender table "DeviceProcessEvents". But don't now how to find out Image information which is in Event Table.178Views0likes3CommentsAuto Disabled (Rule Name)
Hi Team, One of scheduled rule is auto disabled 2 days ago (31-aug) and showing like "The alert rule was disabled due to too many consecutive failures. Reason: The query was blocked as it was consuming too many resources." When I tried to re-enabled and it showing: "Failed to save analytics rule 'rule name'. Conflict:Newer instance of rule 'ID' exists for workspace 'workspace id' (Etag does not match). Data was not saved." I made some changes in KQL but still showing same message. Can someone help me to find out solution ? "266Views0likes2Commentswatchlist with contains
Hi Team, can someone help me. I have a list of dynamic Dns domain and performing KQL with _Im_Dns table. I have created watchlist of domain and apply to_Im_Dns table. So i am getting the result if exact match in DnsQuery column. Like in my watchlist if microsoft.com is dynamic domain then it getting result only when DnsQuery column hasmicrosoft.com. But my concern is that i want to get result ifDnsQuery column has xyz.microsoft.com.Abc. let DynamicDns = _GetWatchlist('dynamic_dns') | project SearchKey; _Im_Dns | where DnsQuery in~ (DynamicDns) My watchlist have 30k+ dynamic DNS. Kindly suggest us.393Views0likes1CommentNeed some KQL for DNS
I need few KQL query for below use case as table is _Im_Dns and ASimDnsActivityLogs. Monitor DNS for Brand Abuse - This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse. DNS Query Length with high standard deviation - The following analytic identifies DNS queries with unusually large lengths by computing the standard deviation of query lengths and filtering those exceeding twice the standard deviation. It leverages DNS query data from the Network_Resolution data model, focusing on the length of the domain names being resolved. This activity is significant as unusually long DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to stealthily transfer data or maintain persistent communication channels within the network. Detect Long DNS TXT Record Response - This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, Command And Control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses. Large Volume of DNS ANY Queries - The following analytic identifies a large volume of DNS ANY queries, which may indicate a DNS amplification attack. It leverages the Network_Resolution data model to count DNS queries of type "ANY" directed to specific destinations. This activity is significant because DNS amplification attacks can overwhelm network resources, leading to Denial of Service (DoS) conditions. If confirmed malicious, this activity could disrupt services, degrade network performance, and potentially be part of a larger Distributed Denial of Service (DDoS) attack, impacting the availability of critical infrastructure.675Views0likes0CommentsHelp to write KQL for some of the use case
Hi Team, Please help me to write a KQL for below scenario. Log sources are (Palo alto, checkpoint, F5, Citrix, Akamai, Vectra, oracle, Linux) Use case - Source sending more events than usual Description - This correlation search identifies source hosts sending more data than usual. The search runs against data from the last 7 days, and compare only the same hour of the last 7 days (this helps avoiding alerts in the beginning of business hours). The threshold is the sum of average events plus the standard deviation of the source times 3. Usecase - Unexpected Host Reporting events Description - Discovers hosts that are reporting events but are not on the expected reporting host on Sentinel. This rule is used to monitor hosts not expected. Usecase - New User Account Created on multiple Hosts Description - Alerts when numerous new accounts are created for a username account on multiple hosts. Note : All above usecase are deployed in Splunk and need to migrate into sentinel.423Views0likes1Comment