Detecting Suspicious Activities in Microsoft Sentinel: Writing Threat-Hunting Queries Using KQL

Unleashing Your Inner Cyber Sleuth with KQL in Microsoft Sentinel

Microsoft Sentinel is a powerful cloud-native Security Information and Event Management (SIEM) solution that empowers organizations to detect, investigate, and respond to security threats. One of its core strengths is the ability to perform proactive threat hunting using Kusto Query Language (KQL). By writing effective KQL queries, security analysts can uncover suspicious activities, identify potential threats, and strengthen their organization's security posture. In this blog post, we'll explore how to write threat-hunting queries in Microsoft Sentinel using KQL, with practical examples and best practices.

Why Threat Hunting in Microsoft Sentinel?

Threat hunting is the proactive process of searching for hidden threats or anomalies within an organization's environment. Unlike reactive incident response, threat hunting assumes that adversaries may already be present and focuses on finding them before they cause harm. Microsoft Sentinel's integration with Azure Data Explorer and its use of KQL make it an ideal platform for threat hunting, offering:

• Scalability: Handle massive volumes of security data from multiple sources.

• Flexibility: Write custom queries to detect specific behaviors or patterns.

• Integration: Correlate data from Azure, Microsoft 365, and third-party sources.

• Automation: Schedule queries or create analytics rules for continuous monitoring.

KQL is a user-friendly, SQL-like query language that allows analysts to filter, aggregate, and analyze log data efficiently. Let's dive into how to craft KQL queries for threat hunting in Microsoft Sentinel.

Getting Started with KQL in Microsoft Sentinel

Before writing queries, familiarize yourself with Microsoft Sentinel's Logs blade, where you can run KQL queries against your data. Key tables for threat hunting include:

• SecurityEvent: Windows event logs, including login events.

• SigninLogs: Azure Active Directory sign-in activities.

• OfficeActivity: Microsoft 365 activities (e.g., SharePoint, Exchange).

• AzureActivity: Azure resource management logs.

• Syslog: Linux and network device logs.

To access these tables, ensure your data sources are connected to Sentinel and logs are being ingested.

Writing Threat-Hunting Queries: Best Practices

Effective threat-hunting queries are specific, efficient, and actionable. Follow these best practices:

1. Define Your Hypothesis: Start with a clear goal. For example, "Detect multiple failed login attempts followed by a successful login," which could indicate brute-force attacks.

2. Use Filters Early: Apply filters like where clauses to reduce data volume and improve query performance.

3. Leverage Joins and Summarization: Correlate data across tables and aggregate results to identify patterns.

4. Test and Refine: Run queries on a small dataset first, then scale up. Adjust thresholds to minimize false positives.

5. Schedule or Automate: Convert successful queries into analytics rules or scheduled hunts for ongoing monitoring.

Now, let's explore some practical KQL queries for common threat-hunting scenarios.

Example 1: Detecting Brute-Force Login Attempts

Brute-force attacks involve repeated login attempts to guess credentials. To detect this, we can look for multiple failed logins followed by a successful login from the same IP address.

let timeWindow = 1h;
let failedThreshold = 5;
SigninLogs
| where TimeGenerated > ago(timeWindow)
| where ResultType != 0  // Failed logins
| summarize FailedCount = count() by UserPrincipalName, IPAddress
| where FailedCount >= failedThreshold
| join kind=inner (
    SigninLogs
    | where TimeGenerated > ago(timeWindow)
    | where ResultType == 0  // Successful login
) on UserPrincipalName, IPAddress
| project TimeGenerated, UserPrincipalName, IPAddress, FailedCount, ResultDescription

Explanation:

• timeWindow and failedThreshold set the time range and minimum failed attempts.

• The first part counts failed logins (ResultType != 0) per user and IP.

• The join correlates with successful logins (ResultType == 0) from the same user and IP.

• The result shows potential brute-force successes for investigation.

Example 2: Identifying Suspicious PowerShell Activity

Adversaries often use PowerShell for malicious activities. This query detects unusual PowerShell command executions in Windows event logs.

SecurityEvent
| where TimeGenerated > ago(1d)
| where EventID == 4688  // Process creation events
| where ProcessName contains "powershell.exe"
| where CommandLine !contains "expected_script_name"  // Exclude known scripts
| summarize CommandCount = count(), Commands = make_set(CommandLine) by Account, Computer
| where CommandCount > 3
| project TimeGenerated, Account, Computer, CommandCount, Commands

Explanation:

• Filters for process creation events (EventID == 4688) involving powershell.exe.

• Excludes known, legitimate scripts to reduce noise.

• Aggregates commands by user and computer, flagging accounts with high PowerShell activity.

• Outputs commands for review, helping identify malicious scripts.

Example 3: Detecting Data Exfiltration via SharePoint Downloads

Data exfiltration often involves unusual file downloads from SharePoint. This query identifies users downloading multiple files in a short period.

OfficeActivity
| where TimeGenerated > ago(1h)
| where Operation == "FileDownloaded" and OfficeWorkload == "SharePoint"
| summarize DownloadCount = count(), Files = make_set(OfficeObjectId) by UserId, ClientIP
| where DownloadCount > 10
| project TimeGenerated, UserId, ClientIP, DownloadCount, Files

Explanation:

• Targets SharePoint file download events (Operation == "FileDownloaded").

• Aggregates downloads by user and IP, flagging users with more than 10 downloads in an hour.

• Lists downloaded files for context, aiding investigation of potential exfiltration.

Advanced Techniques

To enhance your threat-hunting queries:

• Use Machine Learning: Leverage Sentinel’s built-in machine learning functions, like anomalydetection, to identify outliers.

• Incorporate Threat Intelligence: Join your queries with threat intelligence feeds (e.g., ThreatIntelligenceIndicator) to detect known malicious IPs or domains.

• Visualize Results: Use Sentinel’s workbooks to create dashboards for query results, making patterns easier to spot.

• Chain Behaviors: Look for sequences of events, like a failed login followed by a privilege escalation, to detect multi-stage attacks.

Converting Queries to Analytics Rules

Once a query proves effective, turn it into an analytics rule for automated alerting:

1. Go to Analytics in Sentinel.

2. Create a new rule and paste your KQL query.

3. Set a schedule (e.g., run every hour) and a look-back period.

4. Define alert thresholds and actions (e.g., create an incident or send an email).

5. Test the rule to ensure it generates meaningful alerts.

TLDR

Threat hunting with KQL in Microsoft Sentinel empowers security teams to proactively uncover suspicious activities and mitigate risks. By crafting targeted queries, leveraging Sentinel’s rich data sources, and following best practices, you can detect threats like brute-force attacks, malicious PowerShell activity, or data exfiltration. Start with simple queries, refine them based on your environment, and automate them for continuous monitoring. With practice, KQL can become a cornerstone of your threat-hunting strategy, helping you stay one step ahead of adversaries.

Happy hunting!