KQL Search

Query Details

HomeAI ToolsDevice Query

IOC Search

Query

// ENTER IOCS INTO THE BELOW LIST
// can be any combination of IPs, domains, filenames, or hashes
let Search = dynamic(["1.2.3.4", "example.com", "malware.exe"]);
// search for events in all tables
let processes = DeviceProcessEvents
| where FolderPath has_any (Search) or
        MD5 has_any (Search) or
        SHA1 has_any (Search) or
        SHA256 has_any (Search)
| extend Type = "Process";
let files = DeviceFileEvents
| where FolderPath has_any (Search) or
        MD5 has_any (Search) or
        SHA1 has_any (Search) or
        SHA256 has_any (Search)
| extend Type = "File Operation";
let netcons = DeviceNetworkEvents
| where RemoteIP has_any (Search) or
        RemoteUrl has_any (Search)
| extend Type = "Network Connection";
// join with final query
EmailAttachmentInfo
| where FileName has_any (Search) or
        SHA256 has_any (Search)
| extend Type = "EmailAttachment"
| join kind=fullouter processes on Timestamp
| join kind=fullouter files on Timestamp
| join kind=fullouter netcons on Timestamp
| project Timestamp=coalesce(Timestamp, Timestamp1, Timestamp2, Timestamp3),
          DeviceName=coalesce(DeviceName, DeviceName1, DeviceName2),
          EventType=coalesce(Type, Type1, Type2, Type3),
          SHA256=coalesce(SHA256, SHA2561, SHA2562),
          FolderPath=coalesce(FolderPath, FolderPath1),
          ProcessCommandLine,
          AccountName,
          AccountUpn,
          InitiatingProcessAccountName=coalesce(InitiatingProcessAccountName, InitiatingProcessAccountName1, InitiatingProcessAccountName2),
          InitiatingProcessAccountUpn=coalesce(InitiatingProcessAccountUpn, InitiatingProcessAccountUpn1, InitiatingProcessAccountUpn2),
          InitiatingProcessCommandLine=coalesce(InitiatingProcessCommandLine, InitiatingProcessCommandLine1, InitiatingProcessCommandLine2),
          InitiatingProcessFolderPath=coalesce(InitiatingProcessFolderPath, InitiatingProcessFolderPath1, InitiatingProcessFolderPath2),
          FileOriginIP,
          FileOriginUrl,
          RequestProtocol,
          RequestSourceIP,
          RequestAccountName,
          RemoteIP,
          RemotePort,
          RemoteUrl,
          LocalIP,
          Protocol,
          NetworkMessageId,
          SenderFromAddress,
          RecipientEmailAddress,
          MD5=coalesce(MD5, MD51),
          SHA1=coalesce(SHA1, SHA11)

Explanation

The query is searching for events related to a list of IOCs (Indicators of Compromise) such as IP addresses, domains, filenames, or hashes. It searches for these IOCs in different tables (DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, and EmailAttachmentInfo) and joins the results together. The final result includes information such as timestamps, device names, event types, file paths, process details, network connections, and email attachment information.

Details

C.J. May profile picture

C.J. May

Released: September 27, 2022

Tables

DeviceProcessEventsDeviceFileEventsDeviceNetworkEventsEmailAttachmentInfo

Keywords

Keywords:Devices,Intune,User,IPs,domains,filenames,hashes,Search,FolderPath,MD5,SHA1,SHA256,Type,RemoteIP,RemoteUrl,FileName,Timestamp,DeviceName,EventType,ProcessCommandLine,AccountName,AccountUpn,InitiatingProcessAccountName,InitiatingProcessAccountUpn,InitiatingProcessCommandLine,InitiatingProcessFolderPath,FileOriginIP,FileOriginUrl,RequestProtocol,RequestSourceIP,RequestAccountName,RemotePort,LocalIP,Protocol,NetworkMessageId,SenderFromAddress,RecipientEmailAddress

Operators

has_anywhereextendjoinprojectcoalesce

Actions