KQL Search

Query Details

HomeAI ToolsDevice Query

KQL For Detecting Potential Hashtag Regre SS Hion Abuse

Query

// KQL for detecting potential hashtag#RegreSSHion abuse
// https://www.linkedin.com/posts/activity-7214588446722465792-FwFr/

// ** Assumption **
// Firewall logs stream to CommonSecurityLog 
// 6 OpenSSH connections per min for minimum 6 hours
// 6x60x6 = 2160 connections for past 6 hours
// Attack source is non-distributed, triangulate by country level
// Feel free to adjust the assumption parameters to your environment needs

CommonSecurityLog
| where TimeGenerated >= ago (6h)
| where DestinationPort == "22"
| extend ip_location=geo_info_from_ip_address(SourceIP)
| extend Country=tostring(ip_location.country)
| where Country != ""
| summarize SSH_Connection=count() by Country 
| sort by SSH_Connection desc
| where SSH_Connection > 2160

// If analytics rule get triggered, this probably warrant a deeper investigation

Explanation

This KQL query is designed to detect potential abuse of OpenSSH connections, specifically looking for a high volume of connections that could indicate malicious activity. Here's a simplified summary:

  1. Data Source: The query analyzes firewall logs that are streamed to a table named CommonSecurityLog.
  2. Time Frame: It focuses on logs generated in the past 6 hours.
  3. Port Filtering: It filters the logs to only include connections made to port 22, which is commonly used for SSH.
  4. Geolocation: It determines the geographical location of the source IP addresses and extracts the country information.
  5. Country Filtering: It excludes logs where the country information is missing.
  6. Connection Counting: It counts the number of SSH connections per country.
  7. Sorting and Threshold: It sorts the results by the number of connections in descending order and filters to show only those countries with more than 2160 connections in the past 6 hours.

If the query finds any country with more than 2160 SSH connections in the past 6 hours, it suggests that this could be indicative of potential abuse and warrants further investigation.

Details

Steven Lim profile picture

Steven Lim

Released: August 5, 2024

Tables

CommonSecurityLog

Keywords

CommonSecurityLogFirewallLogsConnectionsSourceIPDestinationPortCountry

Operators

ago>===extendgeo_info_from_ip_addresstostring!=summarizecountbysortdesc>

Actions