KQL Search

Query Details

HomeAI ToolsDevice Query

Potentialmaliciouseventsmap

Query

//This is the query that produces the Potential Malicious Events map on the entry page for Microsoft Sentinel

union isfuzzy=true
    (W3CIISLog
    | extend
        TrafficDirection = "InboundOrUnknown",
        Country=RemoteIPCountry,
        Latitude=RemoteIPLatitude,
        Longitude=RemoteIPLongitude),
    (DnsEvents
    | extend
        TrafficDirection = "InboundOrUnknown",
        Country= RemoteIPCountry,
        Latitude = RemoteIPLatitude,
        Longitude = RemoteIPLongitude),
    (WireData
    | extend
        TrafficDirection = iff(Direction != "Outbound", "InboundOrUnknown", "Outbound"),
        Country=RemoteIPCountry,
        Latitude=RemoteIPLatitude,
        Longitude=RemoteIPLongitude),
    (WindowsFirewall
    | extend
        TrafficDirection = iff(CommunicationDirection != "SEND", "InboundOrUnknown", "Outbound"),
        Country=MaliciousIPCountry,
        Latitude=MaliciousIPLatitude,
        Longitude=MaliciousIPLongitude),
    (CommonSecurityLog
    | extend
        TrafficDirection = iff(CommunicationDirection !in ("Outbound", "1"), "InboundOrUnknown", "Outbound"),
        Country=MaliciousIPCountry,
        Latitude=MaliciousIPLatitude,
        Longitude=MaliciousIPLongitude,
        Confidence=ThreatDescription,
        Description=ThreatDescription),
    (VMConnection
    | where Type == "VMConnection"
    | extend
        TrafficDirection = iff(Direction != "outbound", "InboundOrUnknown", "Outbound"),
        Country=RemoteCountry,
        Latitude=RemoteLatitude,
        Longitude=RemoteLongitude,
        MaliciousIP=MaliciousIp)
| where isnotempty(MaliciousIP)
    and isnotempty(Country)
    and isnotempty(Latitude)
    and isnotempty(Longitude)

Explanation

This query combines data from different sources (W3CIISLog, DnsEvents, WireData, WindowsFirewall, CommonSecurityLog, and VMConnection) to create a map of potential malicious events. It includes information such as traffic direction, country, latitude, and longitude. The query filters out any entries that do not have a malicious IP, country, latitude, or longitude.

Details

Rod Trent profile picture

Rod Trent

Released: March 4, 2022

Tables

W3CIISLogDnsEventsWireDataWindowsFirewallCommonSecurityLogVMConnection

Keywords

Devices,Intune,User

Operators

unionisfuzzyW3CIISLogextendTrafficDirectionCountryRemoteIPCountryLatitudeRemoteIPLatitudeLongitudeRemoteIPLongitudeDnsEventsWireDataiffDirectionOutboundWindowsFirewallCommunicationDirectionSENDMaliciousIPCountryMaliciousIPLatitudeMaliciousIPLongitudeCommonSecurityLoginOutbound1VMConnectionwhereTypeVMConnectionisnotemptyMaliciousIPandisnotemptyCountryandisnotemptyLatitudeandisnotemptyLongitude

Actions