Query Details
Device Network Events Uncommon Process Connection To Suspicious Domain
Query
let query_frequency = 1h;
let query_period = 14d;
let suspicious_domains = dynamic([
@"d\d[a-z0-9]{12}\.cloudfront.net",
@"[\-\w]+\-[a-f0-9]{3,5}\.kxcdn\.com",
@"[\-\w]+\-[a-z0-9]{16}\.\w\d\d\.azurefd\.net",
@"portswigger\.net",
@"oastify\.com",
@"whatismyip\.com",
@"whatismyip\.net",
@"whatismyipaddress\.com"
]);
DeviceNetworkEvents
| where Timestamp > ago(query_period)
| where RemoteUrl matches regex strcat_array(suspicious_domains, "|") // and not(InitiatingProcessAccountSid in ("S-1-5-18", "S-1-5-20"))
| where isnotempty(InitiatingProcessFileName)
| summarize
StartTime = arg_min(Timestamp, *),
EndTime = max(Timestamp),
DeviceNamesSample = array_sort_asc(make_set(DeviceName, 100)),
RemoteUrlsSample = array_sort_asc(make_set(RemoteUrl, 100))
by InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoFileDescription
| where StartTime > ago(query_frequency)
| invoke FileProfile("InitiatingProcessSHA1")
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_frequency) and SignatureState == "SignedValid")
| project
StartTime,
EndTime,
DeviceNamesSample,
RemoteUrlsSample,
Timestamp = StartTime,
DeviceId,
DeviceName,
LocalIP,
ActionType,
RemoteIP,
RemotePort,
RemoteUrl,
Protocol,
InitiatingProcessAccountName,
InitiatingProcessAccountSid,
InitiatingProcessAccountUpn,
InitiatingProcessAccountObjectId,
InitiatingProcessSHA1,
InitiatingProcessSHA256,
InitiatingProcessMD5,
InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
InitiatingProcessCreationTime,
IsInitiatingProcessRemoteSession,
InitiatingProcessParentFileName,
InitiatingProcessVersionInfoCompanyName,
InitiatingProcessVersionInfoProductName,
InitiatingProcessVersionInfoOriginalFileName,
InitiatingProcessVersionInfoInternalFileName,
InitiatingProcessVersionInfoFileDescription,
InitiatingProcessVersionInfoProductVersion,
GlobalPrevalence,
GlobalFirstSeen,
GlobalLastSeen,
SignatureState,
ReportId
Explanation
This KQL query is designed to identify and analyze potentially suspicious network activity on devices over the past 14 days. Here's a simplified breakdown of what the query does:
-
Time Frame and Frequency: The query looks at network events from the last 14 days and checks for new suspicious activity every hour.
-
Suspicious Domains: It defines a list of suspicious domain patterns, such as certain CloudFront, Kxcdn, and Azure domains, as well as specific domains like portswigger.net and whatismyip.com.
-
Filtering Events:
- It filters network events to include only those that occurred in the last 14 days.
- It checks if the
RemoteUrlmatches any of the suspicious domain patterns. - It ensures that the initiating process has a non-empty file name.
-
Summarizing Data:
- It summarizes the data by grouping events based on the initiating process's company name, product name, and other version info.
- It captures the earliest and latest timestamps of these events and collects samples of device names and remote URLs involved.
-
Recent Activity: It further filters the summarized data to include only events that started within the last hour.
-
File Profiling: It invokes a file profile check on the SHA1 hash of the initiating process to gather more information.
-
Excluding Common Signed Files: It excludes files that are globally prevalent (seen more than 1000 times) and were first seen before the last hour, provided they are validly signed.
-
Output: Finally, it projects a wide range of details about the events, including timestamps, device information, network details, process details, and file signatures.
In essence, this query is used to detect and analyze recent suspicious network activity involving specific domains, focusing on new or uncommon processes that might indicate potential security threats.
Details
Jose Sebastián Canós
Released: April 16, 2025
Tables
Keywords
Operators