KQL Search

Query Details

HomeAI ToolsDevice Query

Threat Intelligence Data From Sentinel UEBA

Query

// Threat Intelligence Data from Sentinel UEBA
// https://www.linkedin.com/posts/activity-7199353581236338689-AJdl/

// The following KQL query extracts threat intelligence data for Entra users with a score of 5 or higher. This data helps you visualize the types of threats your cloud environment might be facing.

//Here's what you can potentially expect to uncover:
//- Scanner IP addresses
//- Malicious activity identified by honeypots
//- Microsoft Deep Research threat intelligence
//- Command and Control (C2) server communication attempts
//- Port scans
//- Phishing attempts
//- Distributed Denial-of-Service (DDoS) attacks
//- Hacking tools
//- Compromised Entra credential activity
//- Brute-force attacks
//- Remote Code Execution (RCE) vulnerabilities
//- Email spam campaigns
//- Spoofing attempts

//By analyzing this threat intelligence, you can gain valuable insights and take steps to protect your cloud environment. 🫡

//KQL Code:

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where InvestigationPriority > 5
| distinct ThreatIntel

Explanation

This KQL query is designed to extract and highlight threat intelligence data for Entra users who have a high threat score (5 or higher) from Microsoft Sentinel's User and Entity Behavior Analytics (UEBA). The goal is to help you understand the types of threats your cloud environment might be facing.

Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the BehaviorAnalytics table.
  2. Time Frame: It looks at data generated in the last 90 days.
  3. Filter: It filters the data to include only those entries that contain threat intelligence indicators.
  4. Extract Information: It extracts the description of the threat intelligence indicators.
  5. Priority Filter: It further filters the data to include only those entries with an investigation priority score greater than 5. 6. Distinct Values: It lists distinct threat intelligence descriptions.

By running this query, you can uncover various types of threats such as scanner IP addresses, malicious activities, command and control server attempts, port scans, phishing attempts, DDoS attacks, hacking tools, compromised credentials, brute-force attacks, remote code execution vulnerabilities, email spam campaigns, and spoofing attempts. This information can help you take proactive measures to secure your cloud environment.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

BehaviorAnalytics

Keywords

ThreatIntelligenceDataEntraUsersCloudEnvironmentScannerIPAddressesMaliciousActivityHoneypotsMicrosoftDeepResearchCommandAndControlServerCommunicationAttemptsPortScansPhishingAttemptsDistributedDenialOfServiceAttacksHackingToolsCompromisedEntraCredentialActivityBruteForceAttacksRemoteCodeExecutionVulnerabilitiesEmailSpamCampaignsSpoofingAttemptsInsights

Operators

agocontainsextendtostringwheredistinct

Actions