KQL Search

Query Details

HomeAI ToolsDevice Query

Device Network Events Uncommon Process Connection To Cloudfront Domain

Query

let query_frequency = 1h;
let query_period = 14d;
DeviceNetworkEvents
| where Timestamp > ago(query_period)
| where RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net"// and not(InitiatingProcessAccountSid in ("S-1-5-18", "S-1-5-20"))
| summarize
    StartTime = arg_min(Timestamp, *),
    EndTime = max(Timestamp),
    DeviceNamesSample = array_sort_asc(make_set(DeviceName, 100))
    by InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoFileDescription
| where StartTime > ago(query_frequency)
| invoke FileProfile("InitiatingProcessSHA1")
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_frequency) and SignatureState == "SignedValid")
| project
    StartTime,
    EndTime,
    DeviceNamesSample,
    Timestamp = StartTime,
    DeviceId,
    DeviceName,
    LocalIP,
    ActionType,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    Protocol,
    InitiatingProcessAccountName,
    InitiatingProcessAccountSid,
    InitiatingProcessAccountUpn,
    InitiatingProcessAccountObjectId,
    InitiatingProcessSHA1,
    InitiatingProcessSHA256,
    InitiatingProcessMD5,
    InitiatingProcessFileName,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    InitiatingProcessCreationTime,
    IsInitiatingProcessRemoteSession,
    InitiatingProcessParentFileName,
    InitiatingProcessVersionInfoCompanyName,
    InitiatingProcessVersionInfoProductName,
    InitiatingProcessVersionInfoOriginalFileName,
    InitiatingProcessVersionInfoInternalFileName,
    InitiatingProcessVersionInfoFileDescription,
    InitiatingProcessVersionInfoProductVersion,
    GlobalPrevalence,
    GlobalFirstSeen,
    GlobalLastSeen,
    SignatureState,
    ReportId

Explanation

This KQL (Kusto Query Language) query is designed to analyze network events from devices over the past 14 days, focusing on specific patterns and characteristics of network activity. Here's a simplified breakdown:

  1. Time Frame: The query looks at device network events from the last 14 days (query_period).

  2. URL Pattern: It filters events where the RemoteUrl matches a specific pattern resembling a CloudFront URL (e.g., d123abc456def.cloudfront.net).

  3. Data Summarization: It summarizes the data by grouping events based on the initiating process's version information, such as company name, product name, and file description. For each group, it identifies:

    • The earliest (StartTime) and latest (EndTime) timestamps of the events.
    • A sorted list of up to 100 unique device names involved.

  4. Recent Activity: It further filters to include only those groups where the StartTime is within the last hour (query_frequency).

  5. File Profile Check: It invokes a file profile check using the InitiatingProcessSHA1 to gather additional file-related information.

  6. Exclusion Criteria: It excludes events where the file is globally prevalent (seen more than 1000 times) and was first seen more than an hour ago, provided the file is validly signed.

  7. Projection: Finally, it selects and displays a wide range of details about the events, including timestamps, device information, network details, and initiating process attributes.

In essence, this query identifies and analyzes recent network events involving specific CloudFront URLs, focusing on potentially uncommon or suspicious initiating processes.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 18, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsFileProfile

Operators

letagomatches regexsummarizearg_minmaxarray_sort_ascmake_setbyinvokeFileProfilenotproject

Actions