KQL Search

Query Details

HomeAI ToolsDevice Query

Device Network Events Suspicious Connection By Wer Fault

Query

let query_frequency = 1h;
let query_period = 14d;
let _ExpectedDomainsRegex = strcat(@'(', strcat_array(dynamic([
    @"\w{4}\d?watcab\d{2}\.blob\.core\.windows\.net",
    @"watson.*\.events\.data\.microsoft\.com",
    @"\.windowsupdate\.com"
]), '|'), @')$');
let _PreviousDomains = toscalar(
    DeviceNetworkEvents
    | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
    | where InitiatingProcessFileName has "WerFault.exe" and RemoteIPType == "Public"
    | where isnotempty(RemoteUrl)
    | summarize make_set(RemoteUrl)
);
let _PreviousIPRanges = toscalar(
    DeviceNetworkEvents
    | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
    | where InitiatingProcessFileName has "WerFault.exe" and RemoteIPType == "Public"
    | where isempty(RemoteUrl)
    | summarize make_set(format_ipv4_mask(RemoteIP, 23))
);
DeviceNetworkEvents
| where ingestion_time() > ago(query_frequency)
| where InitiatingProcessFileName has "WerFault.exe" and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
//| where isnotempty(InitiatingProcessAccountUpn) //and RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net"
| where not(RemoteUrl matches regex _ExpectedDomainsRegex or RemoteUrl in (_PreviousDomains) or ipv4_is_in_any_range(RemoteIP, _PreviousIPRanges))
| project
    TimeGenerated,
    DeviceName,
    LocalIP,
    InitiatingProcessAccountUpn,
    ActionType,
    InitiatingProcessId,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    Protocol,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    InitiatingProcessParentId,
    InitiatingProcessParentFileName

Explanation

This query looks for suspicious network activity related to the "WerFault.exe" process. It checks for any remote URLs or IP addresses that do not match a list of expected domains or IP ranges from the past 14 days. If any suspicious activity is found, it will display details such as time, device name, IP addresses, and process information.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 15, 2024

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

| where, | has, | ==, | isnotempty, | summarize, | make_set, | isempty, | format_ipv4_mask, | >, | or, | not, | matches regex, | in, | ipv4_is_private, | ipv4_is_in_any_range, | project.

Actions