KQL Search

Query Details

Device Network Events Suspicious Process Connection To Cloudfrount Domain

Query

DeviceNetworkEvents
| where (InitiatingProcessParentFileName has "msiexec.exe" or InitiatingProcessCommandLine has "/Install") and RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net"
| project
    TimeGenerated,
    DeviceName,
    LocalIP,
    ActionType,
    InitiatingProcessParentCreationTime,
    InitiatingProcessParentFileName,
    InitiatingProcessCreationTime,
    InitiatingProcessAccountUpn,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    Protocol,
    RemoteUrl,
    RemoteIP,
    RemotePort

Explanation

This query is looking at network events from devices where the process used to install software (msiexec.exe) or a specific command line (/Install) is involved. It also filters for events where the remote URL matches a specific pattern. The query then projects various details about the events such as time, device name, IP addresses, process details, protocol, and remote URL information.

Details

Jose Sebastián Canós

Released: March 7, 2024

Tables

DeviceNetworkEvents

Keywords

Device,Network,Events,InitiatingProcessParentFileName,InitiatingProcessCommandLine,RemoteUrl,TimeGenerated,DeviceName,LocalIP,ActionType,InitiatingProcessParentCreationTime,InitiatingProcessCreationTime,InitiatingProcessAccountUpn,InitiatingProcessFolderPath,InitiatingProcessCommandLine,Protocol,RemoteIP,RemotePort.

Operators

wherehasormatches regexproject

KQL Search

Device Network Events Suspicious Process Connection To Cloudfrount Domain

Query

Explanation

Details

Actions