Index
Symbols
+ (Add) operator, KQL, 169
/ (Divide) operator, KQL, 169
-- (Equals) operator, KQL, 169–170
> (Greater) operator, KQL, 169
>- (Greater or Equal) operator, KQL, 169–170
< (Less) operator, KQL, 169
<- (Less or Equal) operator, KQL, 169
% (Modulo) operator, KQL, 169
* (Multiply) operator, KQL, 169
!- (Not equals) operator, KQL, 169
!in (Not equals to any of the elements) operator, KQL, 169
− (Subtract) operator, KQL, 169
A
AAD user, Logic Apps, 115
access control, 15
Add (+) operator, KQL, 169
adversaries, knowledge of, 8
aggregation reference, KQL (Kusto Query Language), 172
alerts
and bookmarks, 97
analysts
“single pane of glass,” 7
SOC (security operations center), 5
analytic rules
analytics
component, 15
justification for usage, 33–34
Analytics dashboard, accessing, 34–37
any() function, KQL, 172
Apache Struts, vulnerability in, 2
architecture, Azure Sentinel, 13–15
arg_max() function, KQL, 172
arg_min() function, KQL, 172
attack timeline with alerts, 61
attrib tool, use with WannaCry, 34
Audit Logs hunting queries, 70
automation
avg() function, KQL, 172
AWS (Amazon Web Services), connecting with, 151–157
AWS CloudTrail hunting queries, 70
Azure Active Directory Identity Protection, 25–29
Azure Activity hunting queries, 70
Azure Activity Log, 22–23. See also log data
Azure Logic Apps, 43
Azure Security Center, connecting to, 23–25
Azure Sentinel
accessing in Azure Portal, 52
accessing ingested data, 29–32
addressing SecOps challenges, 11
adoption considerations, 15–16
analytics, 15
cases, 14
components, 14
core capabilities, 12
dashboards, 14
data collection, 12
data connectors, 14
documentation, 11
hunting, 14
incidents page, 53
investigation of threats, 12
Log Analytics workspace, 15–16
notebooks, 14
overview, 1
Playbooks, 14
rapid response, 12
Technical Community blogs, 107
threat detection, 12
B
Base64-encoded contents, decoding, 103
Bitcoin ransom
coin-mining malware, 4
paying via Petya, 1
black box rules, 44
bokeh library, 99
bookmarks. See also queries
and alerts, 97
using with incidents, 56, 67–69
bool type, KQL, 166
buildschema() function, KQL, 172
C
cases, 14
CDF collector, installing, 146–147
CDOC (Cyber Defense Operations Center), 6
CEF (Common Event Format), 20, 160
CISOs (Chief Information Security Officers), 1, 7
clustering, finding outliers with, 103–104
coin-mining malware, 4
Collection, ATT&CK Matrix, 66
columns, adding and removing in KQL, 172–173
Command And Control, ATT&CK Matrix, 66
comments, using with incidents, 56
community-based hunting queries, 77–78
comparison operators, KQL (Kusto Query Language), 169
connecting
with AWS (Amazon Web Services), 151–157
Consumer Interview System, 3
Containment, incident management, 51–52
count() function, KQL, 172
countif() function, KQL, 172
Credential Access, ATT&CK Matrix, 66
CTI (cyberthreat intelligence), 8
Custom Deployment blade, post-incident automation, 126
CVE-2017-0145 critical vulnerability, 33
CVE-2017-5638 critical vulnerability, 2–3
cyberattacks in Europe, 1
cyberdefense operations, fusion center model, 6
D
DART (Detection and Response Team), Microsoft, 3–5
dashboards, 14
data
exporting to Excel, 143
data connectors, 14
data sets, linking/displaying, 105
data sources, considering, 16
data visualization
Azure Sentinel workbooks, 131–132
Excel, 143
DataFrame, using with pandas, 92, 95, 105
datetime type, KQL, 166
DBScan algorithm, using to cluster processes, 104
dcount() function, KQL, 172
decimal type, KQL, 166
decoding obfuscated data, Notebooks, 103
Defender Advanced Threat Protection, Microsoft, 3–4
Defense Evasion, ATT&CK Matrix, 66
deployment considerations, 16
Detection and Analysis, incident management, 51–52
Discovery, ATT&CK Matrix, 66
Divide (/) operator, KQL, 169
DNS Events hunting queries, 71
DNS Proxies incident, 56
documentation, Azure Sentinel, 11
DSVM (Data Science Virtual Machine), 87
dynamic type, KQL, 166
E
Edit API Connection blade, post-incident automation, 127
Edit Template blade, post-incident automation, 126
email messages, scanning by Office 365, 4
entities, using with incidents, 56, 59
Enumeration of users and groups, hunting query, 68
Equals (--) operator, KQL, 169–170
Equals to one of the elements (in) operator, KQL, 169
Equifax network, 3
Eradication, incident management, 51–52
Europe, cyberattacks in, 1
evaluate operator, KQL (Kusto Query Language), 175–176
event timelines, Notebooks, 99–100. See also Timeline
evidence, 14
Excel, exporting data to, 143
Execution, ATT&CK Matrix, 65
Exfiltration, ATT&CK Matrix, 66
Exploration Notebooks, 94
exploration queries, 61. See also queries
exporting data to Microsoft Excel, 143
extend, KQL (Kusto Query Language), 173
F
finding outliers with clustering, Notebooks, 103–104
forensics analysts, 5
Fortinet, connecting with, 145–151
fullouter join, KQL, 175
fusion center model, cyberdefense operations, 6
G
geomapping IP addresses, Notebooks, 106
GitHub repository, 70, 85–86, 107
Greater (>) operator, KQL, 169
H
Hellen, Ian, 79
HTTP Data Collector API, 20
hunting, 14
hunting and investigation, notebooks, 94–106
Hunting dashboard, accessing, 64–68
hunting queries. See also threat hunting
I
Impact, ATT&CK Matrix, 66
in (Equals to one of the elements) operator, KQL, 169
!in (Not equals to any of the elements) operator, KQL, 169
incident management. See also security incidents
Initial Access, ATT&CK Matrix, 65
inner join, KQL, 175
innerunique join, KQL, 175
int type, KQL, 166
integration costs, reducing, 21
IntelliSense capability, using, 31
investigation
of threats, 12
Tier 2, 5
IOA (indicators of attack), 34
IOCs (indicators of compromise), 33, 101–102
IP addresses
geomapping, 106
looking up, 102
J
join, KQL (Kusto Query Language), 174–175
Jupyter Notebooks. See also Notebooks
audiences, 83
data persistence, repeatability, backtracking, 81
data processing, 82
interactive display environment, 81–82
ipywidgets, 98
joining to external data, 82
machine learning, 82
scripting and programming, 81
use cases, 83
visualization, 82
Jupyter server options, Azure Notebooks, 86–87
JupyterHub, 87
K
Kassis, Mike, 163
Koren, Koby, 110
KQL (Kusto Query Language)
accessing ingested data, 29–32
adding and removing columns, 172–173
aggregation reference, 172
comparison operators, 169
extend, 173
learning resources, 177
limiting data, 168
numerical operators, 169
project and project-away statements, 172–173
sorting data, 168
SQL, 164
take operator, 168
union, 174
KQL queries
Palo Alto Networks firewalls, 161–162
substituting Python variables in, 93–94
Kqlmagic. See also queries
and QueryProvider, 96
L
Lateral Movement, ATT&CK Matrix, 66
leftanti join, KQL, 175
leftouter join, KQL, 175
leftsemi join, KQL, 175
Less (<) operator, KQL, 169
Less or Equal (<-) operator, KQL, 169
linking/displaying related data sets, Notebooks, 105
Log Analytics workspace, 15–16, 157
log data ingestion time, 49
log data, sending to workspaces, 20. See also Azure Activity Log
logon information, querying, 98–99
long type, KQL, 166
M
make_bag() function, KQL, 172
make_list() function, KQL, 172
make_set() function, KQL, 172
malicious URL STIX object, 9–10
malware
coin-mining, 4
max() function, KQL, 172
Maxmind GeoLite, 106
M.E.Doc tax accounting software, 2
Microsoft Excel, exporting data to, 143
Microsoft
black box rules, 44
Defender Advanced Threat Protection, 3–4
Detection and Response Team (DART), 3–5
Security Intelligence Report, 3–5
services, 20
vendors/partners’ connectors, 20
min() function, KQL, 172
Mitre, definition of SOC, 5
MITRE ATT&CK knowledge base, 34, 65–66
ML (machine learning) technique, 103
Modulo (%) operator, KQL, 169
MSTIC (Microsoft Threat Intelligence Center), Notebooks, 95
msticpy query library, Notebooks, 95–97
Multiple Data Sources hunting queries, 71
Multiply (*) operator, KQL, 169
N
NIST (National Institute of Standards and Technology), 51
Not equals (!-) operator, KQL, 169
Not equals to any of the elements (!in) operator, KQL, 169
Notebooks. See also Jupyter Notebooks
alerts and bookmarks, 97
benefits, 107
decoding obfuscated data, 103
diagram, 14
finding outliers with clustering, 103–104
geomapping IP addresses, 106
hunting and investigation, 94–106
IoCs and threat intelligence, 101–102
linking/displaying related data sets, 105
MSTIC (Microsoft Threat Intelligence Center), 95
querying process/logon information, 98–99
suspicious signs in data, 101–103
types, 94
NSG (Network Security Group), 145
numerical operators, KQL (Kusto Query Language), 169
O
obfuscated data, decoding, 103
Office 365 action, adding for Playbook, 116
Office 365 Activity hunting queries, 71
Office 365, email messages scanned by, 4
Operation WilySupply, 3
operational CTI, 8
order operator, KQL (Kusto Query Language), 168
P
Palo Alto Networks firewalls, connecting with, 158–162
percentiles() function, KQL, 172
permissions, considering, 15
Persistence, ATT&CK Matrix, 66
Petya ransomware, 1
phishing, 4
pie charts, adding to Workbooks, 139
Playbooks
diagram, 14
post-incident automation, 125–128
SOAR (Security Orchestration, Automation and Response), 109–110
post-incident automation, 125–130
Power BI, visualizations, 141–142
Privilege Escalation, ATT&CK Matrix, 66
process information, querying, 98–99
procedures. See Playbooks
project and project-away statements, KQL (Kusto Query Language), 172–173
protection, automating, 12
Q
queries. See also bookmarks; exploration queries; KQL (Kusto Query Language); Kqlmagic
and bookmarks, 67
process and logon information, 98–99
validating data sources, 31–32
Query Language Reference, 40
R
ransomware
Petya, 1
RBAC (Role-Based Access Control), 15–16
real type, KQL, 166
reference operational model, SOC (Security Operations Center), 9
Remediation, incident management, 51–52
remediation analysts, 5
reports. See Workbooks
resources, freeing up, 21
REST API client, 20
rightanti join, KQL, 175
rightouter join, KQL, 175
rightsemi join, KQL, 175
Rule Templates tab, 36
S
Sample Notebooks, 94
SecOps (Security Operations)
addressing challenges, 11
resource challenges, 7
Security Alert hunting queries, 71
Security Event hunting queries, 72
security incidents, 52–55. See also incident management
Security Intelligence Report, Microsoft, 3–5
Shezaf, Ofer, 21
SIEM (Security Incident and Event Management), 1
Sign-in Logs hunting queries, 72–73
“single pane of glass,” analysts, 7
SMB (Server Message Block), 2
SOAR (Security Orchestration, Automation and Response), 11
SOC (Security Operations Center), 1
reference operational model, 9
resource challenges, 7
software supply chains, targeting, 3
SQL and KQL, 164
stdev() function, KQL, 172
STIX object, malicious URL, 9–10
strategic CTI, 8
string operators, KQL (Kusto Query Language), 169
string type, KQL, 166
Subtract (−) operator, KQL, 169
sum() function, KQL, 172
summarize statement, KQL, 170–172
support engineers, SOC (security operations center), 6
suspicious signs in data, Notebooks, 101–103
Syslog Common Event Format, 20
Syslog daemon, configuring for Palo Alto, 158–159
Syslog hunting queries, 73
T
tables, joining in KQL, 173–175
tactical CTI, 8
take operator, KQL (Kusto Query Language), 168
TAXII (Trusted Automated Exchange of Intelligence Information), 10
Technical Community blogs, 107
threat collection, 12
threat hunting. See also hunting queries
TI (Threat Intelligence) indicators, 101–102
Tier 1-Tier 3 analysts, SecOps, 5–7
time charts, adding to Workbooks, 140
Timeline, listing for incident alerts, 59–60. See also event timelines
U
union, KQL (Kusto Query Language), 174
URL. See malicious URL STIX object
V
variance() function, KQL, 172
visualizations, Power BI, 141–142
VM (virtual machine)
isolating, 52
Palo Alto Networks firewalls, 159
for testing real-time automation, 122–125
vulnerabilities, targeting, 2
W
W3C IIS Log hunting queries, 73
“web shells,” dropping, 3
where operator, KQL (Kusto Query Language), 169–170
Wire Data hunting queries, 73
Workbooks
action menu, 136
editing, 138
pie charts, 139
time charts, 140