Kusto Query Language (KQL) can be used for all kinds of security shenanigans. It is often used in incident response and threat hunting, but it can be leveraged in different ways for different needs.

I use KQL often and while I am definitely not a pro, I am on a never-ending journey to always get better with it. I am going to be on a continuously dumping/updating resources, queries, tips, etc… in here so that you can leverage for your different security needs.

KQL Query Goodies

Using Lists to query against

let interestingCmds = dynamic([@"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", @"C:\Windows\System32\cscript.exe", "cmd"]);
SecurityEvent
| where ParentProcessName in~ (interestingCmds)
| take 20
  • has_any does substring matching
  • project filters to only specified column(s)
  • project-away excludes the specified column(s)
let interestingCmds = dynamic([@"powershell.exe", @"cscript.exe", "cmd"]);
SecurityEvent
| where Process has_any (interestingCmds)
| take 20
| project Account, AccountType, Computer, Activity, CommandLine, FileHash, FilePath, NewProcessName, ParentProcessName, Process

Search for a string in any of the columns

search in (SecurityEvent) "powershell"
| take 10

Interpret a string as JSON

Using the parse_json() function, we can convert a string into a dynamic value so we can work with the Json object(s).

Parse a command line string

Using the parse_command_line() function, to (no surprise) parse the command line into a dynamic array, allowing us to extract the pieces for analysis/comparisons etc… The limitation right now, is that it only supports windows command line parsing.

print parse_command_line("powershell.exe -windowstyle hidden -file C:\\hax.ps1", "windows")

//Output:
["powershell.exe","-windowstyle","hidden","-file","C:\\hax.ps1"]

Using distinct + project == summarize?!

Ref: StackOverflow - Using both distinct and project

Azure Sentinel

Useful Blog Posts + References

DOCS

TOOLS