KQL Search

Query Details

HomeAI ToolsDevice Query

How Many Crowdstrike Clients Running On Microsoft Azure Globally

Query

// H𝗼𝘄 𝗺𝗮𝗻𝘆 𝗖𝗿𝗼𝘄𝗱𝗦𝘁𝗿𝗶𝗸𝗲 𝗰𝗹𝗶𝗲𝗻𝘁𝘀 𝗿𝘂𝗻𝗻𝗶𝗻𝗴 𝗼𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗔𝘇𝘂𝗿𝗲 𝗴𝗹𝗼𝗯𝗮𝗹𝗹𝘆
// Linkedin Post: https://www.linkedin.com/posts/0x534c_fileprofile-function-in-advanced-hunting-activity-7232990010898010112-G2Lg/
// While brainstorming on how to KQL detect Bring Your Own Vulnerable Driver (BYOVD) exploits in recent Zero Day CVE-2024-38193 by APT North Korean Lazarus, I was exploring the recent addition of FileProfile() enrichment function that adds the following data to files found by the query.

// Advance Hunting - FileProfile()
// https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-fileprofile-function

DeviceFileEvents
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where FileName endswith ".sys"
| where FolderPath contains "CrowdStrike"
| invoke FileProfile(SHA1,10000)
| project FileName, FolderPath, GlobalPrevalence, GlobalFirstSeen, GlobalLastSeen
| sort by GlobalPrevalence desc 

// Note:  GlobalPrevalence - Number of instances of the entity observed by Microsoft globally

Explanation

This KQL query is designed to identify CrowdStrike client files with a ".sys" extension that have been created or modified on devices. It specifically looks for these files within folders that contain "CrowdStrike" in their path. The query then uses the FileProfile() function to enrich the data with additional information about these files, such as how prevalent they are globally and when they were first and last seen by Microsoft. Finally, the results are sorted by the global prevalence of the files in descending order.

Here's a simplified breakdown:

  1. Filter Events: Look for file creation or modification events.
  2. File Type: Focus on files with a ".sys" extension.
  3. Folder Path: Ensure the file path includes "CrowdStrike".
  4. Enrich Data: Use the FileProfile() function to get additional details about the files.
  5. Select Data: Extract specific fields like file name, folder path, global prevalence, and first/last seen dates.
  6. Sort Results: Order the results by how commonly the files are seen globally.

This helps in understanding the distribution and timeline of CrowdStrike client files across Microsoft Azure globally.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceFileEvents

Keywords

DevicesIntuneUser

Operators

==orendswithcontainsinvokeprojectsort by

Actions