KQL Search

Query Details

HomeAI ToolsDevice Query

Perimeter Defense Attack Surface Reduction

Query

// Perimeter Defense - Attack Surface Reduction
// https://www.linkedin.com/posts/activity-7188046653184991232-JLS6/

// In these days cyberattacks are mostly conducted through email attacks, adversary would spray your tenant and if one of your users who happened to click on the link and with vulnerable endpoint then threat actor would probably start to gain a foothold in your environment. The below KQL checks for your organization top 10 most attack email users and query their corporate endpoints for list of vulnerabilities. I believe if you addressed those critical & high vulnerabilities of these endpoints, potentially this will help you reduce your attack surface. 🫡 

let Top10AttackEmailUsers=
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound" and DeliveryAction == "Blocked"
| summarize Count=count() by RecipientEmailAddress
| sort by Count desc
| take 10
| project RecipientEmailAddress;
let Top10AttackUserDevices=
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where DeviceTrustType == "Azure AD registered" or DeviceTrustType == "Hybrid Azure AD joined"
| where AccountUpn has_any(Top10AttackEmailUsers)
| distinct DeviceName;
DeviceTvmSoftwareVulnerabilities
| where DeviceName has_any(Top10AttackUserDevices)
| sort by VulnerabilitySeverityLevel asc

Explanation

This KQL query identifies the top 10 email users in an organization who have been targeted the most by blocked inbound email attacks over the past 30 days. It then checks the corporate devices used by these users for any vulnerabilities. Here's a simple breakdown:

  1. Identify Top 10 Targeted Email Users:

    • Look at email events from the last 30 days.
    • Filter for inbound emails that were blocked.
    • Count the number of blocked emails for each recipient.
    • Sort and take the top 10 recipients with the highest counts.

  2. Find Devices Used by These Users:

    • Look at sign-in events from the last 7 days.
    • Filter for devices that are either "Azure AD registered" or "Hybrid Azure AD joined".
    • Match these devices to the top 10 targeted email users.
    • Get a distinct list of these devices.

  3. Check for Vulnerabilities on These Devices:

    • Look at the list of software vulnerabilities on the identified devices.
    • Sort the vulnerabilities by their severity level.

The goal is to address critical and high vulnerabilities on these devices to potentially reduce the organization's attack surface.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

EmailEventsAADSignInEventsBetaDeviceTvmSoftwareVulnerabilities

Keywords

EmailEventsDevicesVulnerabilities

Operators

letwhereagosummarizecountbysortdesctakeprojectorhas_anydistinctasc

Actions