These functions are named in a self-explanatory way, but let’s look at a couple use cases that we’ve run across. The real power of KQL, though, comes from its various native functions that can be used to parse or transform data on the fly, including (and certainly not limited to) : aggregate your data (with ‘summarize’ clauses).present your data (with either ‘project’ or ‘render’ clauses) and. filter your data (with ‘where’ clauses).Not unlike other large-data or database query languages, KQL allows you to: Additionally, for any parsing or working with data that requires a bit more complexity than native querying, KQL does have plug-ins that can extend its use by leveraging Python and R.īuilt-in Functions useful for Incident Response Some example functionality this provides is being able to decode Base64 data, parse URLs, and even parse command line arguments. This is possible in part due to the power of KQL which comes from native functions that help quickly parse and/or convert data to something more meaningful to an analyst. What used to take hours with reviewing logs in Excel or even SQL databases, can now be done in seconds with KQL. Do you have enough information to warrant a shutdown of the entire network or are only certain sites affected? Having analysis completed quickly can help in turn allow for faster decision-making. In the all-too-common cases of a ransomware attack, you may be faced with the decision to minimize the threat by shutting down network access. Leaders within the organization need the results of this analysis to quickly understand what they’re facing and to make decisions based on factual data. Specifically with incident response investigations, data analysis plays a vital role in being able to scope the impact of the attack, identify new leads to hunt down, and provide insight into how to contain the threat. The ultimate outcome of data analysis is to be able to make decisions based on what the data is telling us. We take all of this data and ingest it into a Kusto cluster and database to leverage KQL for fast and efficient analysis.Īnalyzing data to scope the attack impact Every organization has its own third-party logs that are vital to the investigation, which typically includes firewalls, VPNs, proxy logs, etc. Of course, we do not limit our scope to just Microsoft security products. When Microsoft Incident Response is on the prowl for threat actors in customer environments, we leverage Microsoft Defender for Endpoint and Microsoft Defender for Identity as two primary data sources. In order to query the data, we use and recommend Azure Data Explorer. Data can be structured to best suit your use case in a table using data mappings, and when use cases arise that call for additional data ( e.g., third party logs) you can import on the fly via Azure Data Explorer using One-Click Ingestion. Kusto allows for various ingestion methods and various data formats. In this blog, we’ll show you how Microsoft Incident Response uses the Kusto Query Language (KQL) to quickly analyze data during incident response investigations. While the method or process of collecting data (or even the availability of relevant incident data) is unique to each organization, the analysis of that data is something that can be sped up to reduce the time it takes to make tactical and strategic decisions. There are several variables around both collecting and analyzing data that can affect the speed at which you might be able to respond. Collecting and analyzing data are two critical things that need to be performed to quickly get an understanding of the initial scope and impact of the incident. When your organization is faced with investigating a security incident, whether that’s something as simple as a phishing campaign or more complex like a determined human adversary, time is of the essence.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |