KQL Search

Query Details

HomeAI ToolsDevice Query

Sentinel All In One IP Threat Hunt

Query

// Sentinel All-In-One IP ThreatHunt
// https://www.linkedin.com/pulse/microsoft-sentinel-kql-solo-leveling-steven-lim-8hsqc/

// This KQL query searches across these Sentinel log tables for the ip variable that is defined at the start:
// Anomalies, CloudAppEvents, CommonSecurityLog, DeviceEvents, DeviceFileEvents, DeviceInfo, DeviceLogonEvents, AzureActivity DeviceNetworkEvents, EmailEvents, OfficeActivity, SecurityEvent, ThreatIntelligenceIndicator, UrlClickEvents, BehaviorAnalytics

let ip = "127.0.0.1";
search in (Anomalies,CloudAppEvents,CommonSecurityLog,DeviceEvents,DeviceFileEvents,DeviceInfo,DeviceLogonEvents,AzureActivity,
DeviceNetworkEvents,EmailEvents,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator,UrlClickEvents,BehaviorAnalytics)
TimeGenerated between (ago(1d) .. now())
and (
// ** Events initiated by this IP **
DestinationIpAddress == ip          // Anomalies, UrlClickEvents  
or IPAddress == ip                  // CloudAppEvents
or RemoteIP == ip                   // CommonSecurityLog, DeviceEvents, DeviceLogonEvents, DeviceNetworkEvents  
or FileOriginIP == ip               // DeviceFileEvents
or SenderIPv4 == ip                 // EmailEvents
or ClientIP == ip                   // OfficeActivity
or NetworkDestinationIP == ip       // ThreatIntelligenceIndicator
or DestinationIPAddress == ip       // BehaviorAnalytics 
//
// ** Events affecting this IP **
or SourceIpAddress == ip            // Anomalies
or SourceIP == ip                   // CommonSecurityLog, DeviceEvents
or CallerIpAddress == ip            // AzureActivity
or RequestSourceIP == ip            // DeviceFileEvents
or PublicIP == ip                   // DeviceInfo
or LocalIP == ip                    // DeviceNetworkEvents
or ClientIPAddress == ip            // SecurityEvent
or NetworkSourceIP == ip            // ThreatIntelligenceIndicator
or SourceIPAddress == ip            // BehaviorAnalytics 
)

Explanation

This KQL query is designed to search for a specific IP address ("127.0.0.1") across multiple log tables in Microsoft Sentinel. It looks for events that either originate from or are directed towards this IP address within the last 24 hours. The query checks various fields in each log table to find any matches with the specified IP address. Here’s a simplified breakdown:

  1. Define the IP Address: The IP address to search for is set to "127.0.0.1".
  2. Search Across Multiple Tables: The query searches in the following tables: Anomalies, CloudAppEvents, CommonSecurityLog, DeviceEvents, DeviceFileEvents, DeviceInfo, DeviceLogonEvents, AzureActivity, DeviceNetworkEvents, EmailEvents, OfficeActivity, SecurityEvent, ThreatIntelligenceIndicator, UrlClickEvents, and BehaviorAnalytics.
  3. Time Range: The search is limited to events that occurred in the last 24 hours.
  4. Match IP in Different Fields: The query checks various fields in each table to see if they match the specified IP address. These fields are categorized into:
    • Events initiated by this IP: Fields like DestinationIpAddress, IPAddress, RemoteIP, etc.
    • Events affecting this IP: Fields like SourceIpAddress, SourceIP, CallerIpAddress, etc.

In essence, this query helps identify any activity related to the specified IP address across a wide range of log data in Microsoft Sentinel.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AnomaliesCloudAppEventsCommonSecurityLogDeviceEventsDeviceFileEventsDeviceInfoDeviceLogonEventsAzureActivityDeviceNetworkEventsEmailEventsOfficeActivitySecurityEventThreatIntelligenceIndicatorUrlClickEventsBehaviorAnalytics

Keywords

SentinelAnomaliesCloudAppEventsCommonSecurityLogDeviceEventsDeviceFileEventsDeviceInfoDeviceLogonEventsAzureActivityDeviceNetworkEventsEmailEventsOfficeActivitySecurityEventThreatIntelligenceIndicatorUrlClickEventsBehaviorAnalytics

Operators

letsearchinbetweenagonowandor

Actions