KQL Search

Query Details

HomeAI ToolsDevice Query

Multi Cloud Defender XDR KQL Threat Detection

Query

// Multi-Cloud DefenderXDR KQL Threat Detection
// https://www.linkedin.com/posts/activity-7198893996356640769-cow0/

// A composite detection using MDCA threat intelligence to hunt for activities in various cloud environments and resources covered by MDC. 🤯

let MaliciousIPs =
CloudAppEvents
| where Timestamp > ago(30d)
| where IPTags has_any ("Brute force attacker", "Password spray attacker", "Malicious", "Tor", "Botnet", "Darknet scanning IP", "Malware C&C server") or IPCategory == "Risky"
| distinct IPAddress;
CloudAuditEvents
| where Timestamp > ago(30d)
| where IPAddress has_any(MaliciousIPs)

Explanation

This KQL query is designed to detect potential threats in various cloud environments using threat intelligence from Microsoft Defender for Cloud Apps (MDCA). Here's a simplified breakdown:

  1. Identify Malicious IPs:

    • The query first looks at cloud application events from the past 30 days.
    • It filters these events to find IP addresses tagged with suspicious or malicious activities (e.g., brute force attacks, password spraying, malware command and control servers, etc.).
    • It then creates a distinct list of these malicious IP addresses.

  2. Check Cloud Audit Events:

    • The query then examines cloud audit events from the past 30 days.
    • It filters these events to find any that involve the previously identified malicious IP addresses.

In essence, this query helps to identify and cross-reference malicious activities across different cloud environments by leveraging threat intelligence data to spot potentially harmful IP addresses and their associated activities.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

CloudAppEventsCloudAuditEvents

Keywords

CloudAppEventsCloudAuditEventsTimestampIPTagsIPCategoryIPAddressMaliciousIPs

Operators

let|where>agohas_anyor==distinct

Actions