This blog post delves into the practical application of KQL for threat hunting in cybersecurity. It explores how KQL can be utilized to enhance the speed and precision of threat detection and response within Security Operations Centers. Highlighting its versatility and effectiveness, the post offers insights into leveraging KQL to improve data analysis and bolster overall security operations.

Agenda:

Introduction

Why is KQL a good fit for Threat Hunting?

What are the benefits

My recommendations

Conclusion

Introduction

In the rapidly evolving landscape of cybersecurity, speed and precision are paramount. Security Operations Centers (SOCs) are under constant pressure to detect and respond to incidents quickly to mitigate potential damage. One powerful tool that enhances the ability to perform effective threat hunting and incident detection is KQL. This post will delve into how KQL can be leveraged for threat hunting, focusing on its role in enhancing speed, data analysis, and overall security operations.

Why is KQL a good fit for Threat Hunting?

The reasons KQL is a fantastic tool for threat hunting are manifold, making it an indispensable asset for modern security operations. Its versatility and power lie in the following key attributes:

Flexibility and Customization: KQL allows security analysts to craft highly customizable queries that can be tailored to the specific needs of their organization. Whether it’s searching for particular patterns in network traffic or analyzing user activity logs, KQL’s flexibility ensures that no stone is left unturned.

Real-time Monitoring: One of the standout features of KQL is its ability to facilitate real-time monitoring. By setting up continuous queries and alerts, SOC teams can stay ahead of potential threats, ensuring immediate action is taken as soon as suspicious activities are detected.

Integration with Other Tools: KQL seamlessly integrates with an array of Microsoft and third-party security tools, enhancing its utility and making it a central component of a comprehensive security strategy. This interoperability ensures that different data sources and security measures work in concert for maximum effectiveness.

Cost Efficiency: Utilizing KQL for threat hunting can also be cost-effective. Its ability to quickly and accurately identify threats reduces the time and resources spent on manual investigation, leading to overall cost savings for the organization.

KQL examples of Threat hunting

Detecting Logins from Unusual Locations

Use Case: This query helps identify logins from locations that are considered unusual for your organization, which could indicate a potential compromise.

I am starting to remove logins from locations that we normally use:

AADSignInEventsBeta

| where Country !in ('DK','SE','UK','NO','GB','FI','AT','NL','DE','JE','PL','GL','PL','FR','ES','IE','PT')

|summarize count()by Country

After that I would start looking at specific countries that I normally not expect my users to come from:

AADSignInEventsBeta

|where Country in ('PH','MT','MX')

|summarize count()by AccountUpn, Country

Then I will dig deeper into a specific user if I need to figure out where it normally logs in:

AADSignInEventsBeta

| where AccountUpn contains "stev"

| summarize count()by Country

Then I could go deeper into a specific country from the specific user to see what he did from that country (I would first take a look for Application, Devicename, OSPlatform, DeviceTrustType, IsManaged, IsCompliant, userAgent and after that remove it so I get the full log) :

AADSignInEventsBeta

| where AccountUpn contains "stev"

| where Country contains "MX"

| project  Application, DeviceName, OSPlatform, DeviceTrustType, IsManaged, IsCompliant, UserAgent

Now you have an idea how you can start widely and narrow it down step by step.

Detecting Nation-State Threat Actors

Use Case: This Sentinel detection KQL query can identify nation-state attacks and provide detailed information about the threat actor using Behavior Analytics threat intelligence. By enabling this KQL query, you will receive notifications when a nation-state threat actor targets your environment and obtain additional information about the specific threat actor.

let NationStateIP =

SigninLogs

| where TimeGenerated > ago(1h)

| where RiskEventTypes_V2 has "estsNationStateIP"

| project IPAddress;

BehaviorAnalytics

| where SourceIPAddress has_any(NationStateIP)

| project TimeGenerated, UserPrincipalName, ActivityType,

SourceIPAddress, SourceIPLocation, DevicesInsights.ThreatIntelIndicatorDescription

Thank you Steven Lim for allowing me to use your queries as examples here.

Malicious FIDO2 Registration Threat Detection

Use Case: If a user account is compromised, a threat actor may register a passkey for persistent access. Even if the password is reset, the passkey allows continued malicious activity. Audit logs can help identify the IP address used for passkey registration and correlate it with threat intelligence from BehaviourAnalytics to detect potential FIDO2 passkey abuse.

let PasskeyAuthenticatorIP =

AuditLogs

| where ResultDescription contains "User registered Fido2 Authentication Method"

| extend AuthenticatorIP = tostring(InitiatedBy.user.ipAddress)

| distinct AuthenticatorIP;

BehaviorAnalytics

| where TimeGenerated > ago(90d)

| extend ThreatIntelIndicatorDescription = DevicesInsights.ThreatIntelIndicatorDescription

| where isnotempty( ThreatIntelIndicatorDescription )

| where SourceIPAddress has_any(PasskeyAuthenticatorIP)

Thank you Steven Lim for allowing me to use your queries as examples here.

This query is a very specific query that is looking for something very specific, so this is just to show that you will be able to both build something from bottom up or you can be 100% specific from the beginning.

What are the Benefits?

The benefits of utilizing KQL for threat hunting are numerous and impactful, offering significant advantages to security operations centers (SOC) and cybersecurity teams. Here are some of the key benefits elaborated in detail:

Enhanced Detection Speed

With KQL, security analysts can formulate efficient queries that process and analyze large volumes of data rapidly. This enhanced speed is crucial in threat hunting as it allows for the timely identification of potential threats. Quick detection is essential in mitigating risks and initiating prompt responses to security incidents, thereby minimizing damage and downtime.

Comprehensive Data Analysis

KQL’s robust data analysis capabilities enable detailed examination of diverse data types, including logs, network traffic, and user activities. This comprehensive analysis helps uncover hidden threats that might otherwise go unnoticed. By scrutinizing vast datasets, analysts can identify subtle signs of malicious behavior and anomalous patterns indicative of potential security breaches.

Improved Incident Detection

By leveraging KQL, SOC teams can create complex and sophisticated queries that detect nuanced attack patterns and behaviors. This leads to more accurate and reliable incident detection, reducing the likelihood of false positives and ensuring that genuine threats are identified and addressed swiftly. The precision offered by KQL enhances the overall effectiveness of threat hunting efforts.

Scalability

KQL is designed to handle large-scale data environments, making it ideal for organizations that manage substantial volumes of security-related data. Its scalability ensures that as the data grows, KQL’s performance and efficiency remain robust. This capability is particularly beneficial for large enterprises and institutions with extensive data infrastructures.

Enhanced Collaboration

Utilizing KQL fosters better collaboration within the SOC by enabling the sharing of queries and insights among team members. This collective knowledge and teamwork significantly enhanced the team’s overall threat-hunting proficiency. By working together and leveraging shared resources, security analysts can develop more effective strategies and improve the organization’s defensive posture.

In conclusion, KQL is not just a tool but a strategic advantage in the ever-evolving battle against cyber threats. Its combination of speed, flexibility, and integration capabilities makes it an essential component for any SOC aiming to stay ahead of malicious actors and safeguard their digital assets effectively.

My Recommendations

When utilizing KQL for threat hunting, consider the following best practices to maximize its effectiveness:

• Develop a Library of Queries: Create a repository of common queries that can be reused and adapted. This will save time and ensure consistency in threat detection efforts.

• Regularly Update Queries: Threat landscapes evolve rapidly, and so should your queries. Regularly review and update your KQL queries to reflect the latest threats and attack techniques.

• Leverage Advanced Features: Make use of KQL’s advanced features such as machine learning integration, anomaly detection, and time-series analysis to enhance your threat-hunting capabilities.

• Collaborate and Share Insights: Encourage collaboration within your SOC by sharing effective queries and insights. This collective knowledge can significantly enhance your team’s overall threat-hunting proficiency.

Conclusion

In conclusion, KQL is an indispensable tool for modern threat hunting, offering speed, accuracy, and scalability. By incorporating KQL into your security operations, you can significantly enhance your ability to detect and respond to incidents, ensuring a robust defense against sophisticated cyber threats. Remember to continually refine your queries, leverage advanced features, and collaborate with your team to stay ahead in the ever-changing cybersecurity landscape.