Device Network Events Suspicious Connection By Wer Fault
Query
let query_frequency = 1h;
let query_period = 14d;
let executable_name = "WerFault.exe";
let _ExpectedDomainsRegex = strcat(@'(', strcat_array(dynamic([
@"\w{4}\d?watcab\d{2}\.blob\.core\.windows\.net",
@"watson.*\.events\.data\.microsoft\.com",
@"\.windowsupdate\.com"
]), '|'), @')$');
let _PreviousDomains = toscalar(
DeviceNetworkEvents
| where ingestion_time() between (ago(query_period) .. ago(query_frequency))
| where (InitiatingProcessFileName has executable_name or InitiatingProcessVersionInfoOriginalFileName has executable_name) and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
| where isnotempty(RemoteUrl)
| summarize make_set(RemoteUrl)
);
let _PreviousIPRanges = toscalar(
union
(
DeviceNetworkEvents
| where ingestion_time() between (ago(query_period) .. ago(query_frequency))
| where (InitiatingProcessFileName has executable_name or InitiatingProcessVersionInfoOriginalFileName has executable_name) and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
| where isempty(RemoteUrl)
),
(
DeviceNetworkEvents
| where ingestion_time() between (ago(query_period) .. ago(query_frequency))
| where isnotempty(RemoteUrl) and RemoteUrl matches regex _ExpectedDomainsRegex
)
| distinct RemoteIP
| summarize make_set(format_ipv4_mask(RemoteIP, 23))
);
DeviceNetworkEvents
| where ingestion_time() > ago(query_frequency)
| where (InitiatingProcessFileName has executable_name or InitiatingProcessVersionInfoOriginalFileName has executable_name) and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
//| where isnotempty(InitiatingProcessAccountUpn) //and RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net"
| where not(RemoteUrl matches regex _ExpectedDomainsRegex or RemoteUrl in (_PreviousDomains) or ipv4_is_in_any_range(RemoteIP, _PreviousIPRanges))
| project
TimeGenerated,
DeviceName,
LocalIP,
InitiatingProcessAccountUpn,
ActionType,
InitiatingProcessId,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
Protocol,
RemoteUrl,
RemoteIP,
RemotePort,
InitiatingProcessParentId,
InitiatingProcessParentFileNameExplanation
This KQL query is designed to monitor network events related to a specific executable, "WerFault.exe," over a recent period and identify any unusual or unexpected network connections. Here's a simplified breakdown of what the query does:
-
Define Parameters:
query_frequency: The time window for recent data, set to 1 hour.query_period: The historical period to compare against, set to 14 days.executable_name: The name of the executable to monitor, "WerFault.exe"._ExpectedDomainsRegex: A regular expression pattern that matches expected domain names related to Microsoft services.
-
Identify Previous Domains:
- It collects a set of URLs that "WerFault.exe" connected to in the past 14 days, excluding private IPs, and stores them in
_PreviousDomains.
- It collects a set of URLs that "WerFault.exe" connected to in the past 14 days, excluding private IPs, and stores them in
-
Identify Previous IP Ranges:
- It gathers distinct IP addresses that "WerFault.exe" connected to in the past 14 days, either without a URL or with a URL matching expected domains, and stores them as IP ranges in
_PreviousIPRanges.
- It gathers distinct IP addresses that "WerFault.exe" connected to in the past 14 days, either without a URL or with a URL matching expected domains, and stores them as IP ranges in
-
Current Monitoring:
- It examines network events from the last hour where "WerFault.exe" initiated a connection to a public IP.
- It filters out connections to expected domains or previously seen domains/IP ranges.
- It projects relevant details of these connections, such as time, device name, IPs, URLs, and process information.
In summary, this query helps identify any new or unexpected network connections made by "WerFault.exe" that do not match known or expected patterns, potentially indicating unusual or suspicious activity.
Details

Jose Sebastián Canós
Released: March 25, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteIPUrlTimeGeneratedNameLocalInitiatingProcessAccountUpnActionTypeIdFolderPathCommandLineProtocolPortParentFile
Operators
letstrcatstrcat_arraydynamictoscalarbetweenagohasisemptynotipv4_is_privateisnotemptysummarizemake_setunionmatchesregexdistinctformat_ipv4_maskprojectinipv4_is_in_any_range