Sentinel All In One IP Threat Hunt
Query
// Sentinel All-In-One IP ThreatHunt
// https://www.linkedin.com/pulse/microsoft-sentinel-kql-solo-leveling-steven-lim-8hsqc/
// This KQL query searches across these Sentinel log tables for the ip variable that is defined at the start:
// Anomalies, CloudAppEvents, CommonSecurityLog, DeviceEvents, DeviceFileEvents, DeviceInfo, DeviceLogonEvents, AzureActivity DeviceNetworkEvents, EmailEvents, OfficeActivity, SecurityEvent, ThreatIntelligenceIndicator, UrlClickEvents, BehaviorAnalytics
let ip = "127.0.0.1";
search in (Anomalies,CloudAppEvents,CommonSecurityLog,DeviceEvents,DeviceFileEvents,DeviceInfo,DeviceLogonEvents,AzureActivity,
DeviceNetworkEvents,EmailEvents,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator,UrlClickEvents,BehaviorAnalytics)
TimeGenerated between (ago(1d) .. now())
and (
// ** Events initiated by this IP **
DestinationIpAddress == ip // Anomalies, UrlClickEvents
or IPAddress == ip // CloudAppEvents
or RemoteIP == ip // CommonSecurityLog, DeviceEvents, DeviceLogonEvents, DeviceNetworkEvents
or FileOriginIP == ip // DeviceFileEvents
or SenderIPv4 == ip // EmailEvents
or ClientIP == ip // OfficeActivity
or NetworkDestinationIP == ip // ThreatIntelligenceIndicator
or DestinationIPAddress == ip // BehaviorAnalytics
//
// ** Events affecting this IP **
or SourceIpAddress == ip // Anomalies
or SourceIP == ip // CommonSecurityLog, DeviceEvents
or CallerIpAddress == ip // AzureActivity
or RequestSourceIP == ip // DeviceFileEvents
or PublicIP == ip // DeviceInfo
or LocalIP == ip // DeviceNetworkEvents
or ClientIPAddress == ip // SecurityEvent
or NetworkSourceIP == ip // ThreatIntelligenceIndicator
or SourceIPAddress == ip // BehaviorAnalytics
)
// MITRE ATT&CK Mapping
// EmailEvents (SenderIPv4): Phishing (T1566)
// UrlClickEvents (DestinationIpAddress): Drive-by Compromise (T1189)
// DeviceLogonEvents (RemoteIP): Remote Services (T1021)
// DeviceFileEvents (FileOriginIP): Indicator Removal on Host (T1070)
// DeviceNetworkEvents (LocalIP): Network Service Scanning (T1046)Explanation
This KQL query is designed to search for activities related to a specific IP address, "127.0.0.1", across various Microsoft Sentinel log tables. It looks for events that either originate from or are directed towards this IP address within the last day. The query checks multiple log tables, such as Anomalies, CloudAppEvents, and SecurityEvent, among others, for different fields that might contain the IP address, indicating either the source or destination of an event.
The query is structured to identify two main types of events:
-
Events initiated by this IP: These are events where the specified IP address is the origin, such as when it appears as a destination IP, remote IP, or client IP in various logs.
-
Events affecting this IP: These are events where the specified IP address is the target, such as when it appears as a source IP, caller IP, or public IP in various logs.
Additionally, the query includes references to MITRE ATT&CK techniques, mapping specific log fields to potential attack tactics, such as phishing, drive-by compromise, and network service scanning. This helps in understanding the context of the events in terms of cybersecurity threats.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators