KQL Cafe - October 2024

Recording and Presentation

Hosts

Gianni
Alex

Guests

Koos Goosens

News

KustoCon

KustoCon Online Conference

MC906487 - Microsoft Defender XDR: InitiatingProcessFolderPath changes to include file names

Microsoft Defender for Endpoint will update the InitiatingProcessFolderPath to include file names in all tables, affecting Windows activity. This change will be globally available on November 4, 2024, requiring updates to custom detection rules and queries.

Before this rollout, the InitiatingProcessFolderPath column is inconsistent across action types. Some columns include the file name, and other columns do not include the file name. After the rollout, all Microsoft Defender for Endpoint action types across all tables will report the full path including the file name of the initiating process in the InitiatingProcessFolderPath column.

Consider the following example to be the new normal, InitiatingProcessFolderPath == c:\temp\file.exe An example of a possible current implementation that will be retired with this change: InitiatingProcessFolderPath == c:\temp\ Custom detection rules and queries considering the InitiatingProcessFolderPath may be affected.

Source: Details

Unleash The Power Of DeviceTvmInfoGathering

Blogpost from Bet-Jan Cyber

Rod Trent shared his session content from the Midwest Management Summit Flamingo Edition 2024

Slides and Presentation

KQL Threathunting with JohnDCyber

Explore a collection of KQL queries crafted for dynamic threat hunting across a diverse range of topics, techniques, and use cases! These queries are designed as your launchpad - ready to be tailored to your unique environment and evolving threat landscape.

Source

Azure MFA Enforcement

Nicola Suter wrote some KQL queries regarding the mandatory multifactor authentication for Azure and other admin portals by Microsoft.

Defender for Cloud Apps – Shadow Reporting

If you have queries on McasShadowItReporting note the value change for the StreamName for MDE data

Possible vlaues in StreamName for MDE are:

Defender-managed-endpoints
Win10 Endpoint Users

Defender-managed-endpoints refers to all Windows and Mac devices onboarded in MDE that gather network data and share this with Defender for Cloud Apps for Shadow IT discovery. Win10 Endpoint Users is the old name of the stream

Our Guest

What did you do with KQL This month?

MDE - Defender Antivirus Exclusion Enumeration activities

Source

Mitigations for CVE-2024-38124 - Implement monitoring for any suspicious renaming activities of computers within the network

Source

MDE-DefaultLocalAdmin-Logon

Contribution from Loris Ambrozzo

This KQL query identifies logon events for the default local administrator (.\Administrator) with SID starting with S-1-5 and ending with 500 (according well-know SIDs). As the default domain administrator also starts with S-1-5 and ends with -500, the query includes a table containing the default domain administrator's SID of the domain to exclude these logons.

Source

Defender deployment Rings

Gianni shared a few queries to gather Defender Antivirus deployment Ring information.

Deploy Microsoft Defender Antivirus in rings

DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)

DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF)

DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF)
| project-keep *Signature*

DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF)
| project-keep *Signature*, LastSeenTime

DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| evaluate bag_unpack(AF)
| project-keep *Signature*, LastSeenTime, DeviceId
| join kind=inner (DeviceInfo | summarize arg_max(Timestamp,*) by DeviceId) on DeviceId