Kusto Query Language (KQL) can be used for all kinds of security shenanigans. It is often used in incident response and threat hunting, but it can be leveraged in different ways for different needs.

I use KQL often and while I am definitely not a pro, I am on a never-ending journey to always get better with it. I am going to be on a continuously dumping/updating resources, queries, tips, etc… in here so that you can leverage for your different security needs.

KQL Query Goodies

Using Lists to query against

let interestingCmds = dynamic([@"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", @"C:\Windows\System32\cscript.exe", "cmd"]);
SecurityEvent
| where ParentProcessName in~ (interestingCmds)
| take 20

• has_any does substring matching
• project filters to only specified column(s)
• project-away excludes the specified column(s)

let interestingCmds = dynamic([@"powershell.exe", @"cscript.exe", "cmd"]);
SecurityEvent
| where Process has_any (interestingCmds)
| take 20
| project Account, AccountType, Computer, Activity, CommandLine, FileHash, FilePath, NewProcessName, ParentProcessName, Process

Search for a string in any of the columns

search in (SecurityEvent) "powershell"
| take 10 

Interpret a string as JSON

Using the parse_json() function, we can convert a string into a dynamic value so we can work with the Json object(s).

Parse a command line string

Using the parse_command_line() function, to (no surprise) parse the command line into a dynamic array, allowing us to extract the pieces for analysis/comparisons etc… The limitation right now, is that it only supports windows command line parsing.

print parse_command_line("powershell.exe -windowstyle hidden -file C:\\hax.ps1", "windows")

//Output:
["powershell.exe","-windowstyle","hidden","-file","C:\\hax.ps1"]

Using distinct + project == summarize?!

Ref: StackOverflow – Using both distinct and project

Azure Sentinel

• Check out the Azure-Sentinel GitHub repo for a lot of great queries!

Useful Blog Posts + References

• KQL for Incident Response by DaRT
• Malicious KQL
• [Microsoft’s Azure Demo Environment] (https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade) for a lot of these!

DOCS

• Azure Monitor Sample Queries
• Azure Data Explorer Sample Queries
• Query Best Practices
• Quick Reference Guide
• Get started with log queries in Azure Monitor

TOOLS

• Kusto.Explorer
• Azure Data Explorer
• msticpy
• Kqlmagic