KQL Search

Query Details

Device Network Events Uncommon Process Connection To Suspicious Domain

Query

let query_frequency = 1h;
let query_period = 14d;
let suspicious_domains = dynamic([
	@"d\d[a-z0-9]{12}\.cloudfront.net",
	@"[\-\w]+\-[a-f0-9]{3,5}\.kxcdn\.com",
	@"[\-\w]+\-[a-z0-9]{16}\.\w\d\d\.azurefd\.net",
    @"[\-\w]+\.[a-z0-9]+\.cloudapp\.azure\.com",
	@"portswigger\.net",
	@"oastify\.com",
	@"whatismyip\.com",
	@"whatismyip\.net",
	@"whatismyipaddress\.com"
]);
let excluded_company_names = dynamic([]);
let excluded_original_names = dynamic([]);
DeviceNetworkEvents
| where Timestamp > ago(query_period)
| where RemoteUrl matches regex strcat_array(suspicious_domains, "|") // and not(InitiatingProcessAccountSid in ("S-1-5-18", "S-1-5-20"))
| where isnotempty(InitiatingProcessFileName)
| summarize
    StartTime = arg_min(Timestamp, *),
    EndTime = max(Timestamp),
    DeviceNamesSample = array_sort_asc(make_set(DeviceName, 100)),
    RemoteUrlsSample = array_sort_asc(make_set(RemoteUrl, 100))
    by InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoFileDescription
| where StartTime > ago(query_frequency)
| invoke FileProfile("InitiatingProcessSHA1", 1000)
| where not(GlobalPrevalence > 10000)
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_frequency) and SignatureState == "SignedValid")
| where not(GlobalPrevalence > 500 and InitiatingProcessVersionInfoCompanyName in (excluded_company_names) and InitiatingProcessVersionInfoOriginalFileName in (excluded_original_names))
| project
    StartTime,
    EndTime,
    DeviceNamesSample,
    RemoteUrlsSample,
    Timestamp = StartTime,
    DeviceId,
    DeviceName,
    LocalIP,
    ActionType,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    Protocol,
    InitiatingProcessAccountName,
    InitiatingProcessAccountSid,
    InitiatingProcessAccountUpn,
    InitiatingProcessAccountObjectId,
    InitiatingProcessSHA1,
    InitiatingProcessSHA256,
    InitiatingProcessMD5,
    InitiatingProcessFileName,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    InitiatingProcessCreationTime,
    IsInitiatingProcessRemoteSession,
    InitiatingProcessParentFileName,
    InitiatingProcessVersionInfoCompanyName,
    InitiatingProcessVersionInfoProductName,
    InitiatingProcessVersionInfoOriginalFileName,
    InitiatingProcessVersionInfoInternalFileName,
    InitiatingProcessVersionInfoFileDescription,
    InitiatingProcessVersionInfoProductVersion,
    GlobalPrevalence,
    GlobalFirstSeen,
    GlobalLastSeen,
    SignatureState,
    ReportId

Explanation

This KQL query is designed to identify potentially suspicious network activity on devices by analyzing network events over the past 14 days. Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at network events from the last 14 days (query_period) and focuses on events that have occurred in the last hour (query_frequency).

  2. Suspicious Domains: It checks if the network events involve URLs that match a list of predefined suspicious domain patterns, such as certain cloud service URLs and known suspicious domains like "portswigger.net" and "whatismyip.com".

  3. Filtering:

    • It ensures that the initiating process (the process that started the network event) has a non-empty file name.
    • It excludes events based on certain conditions related to the prevalence of the process globally and its signature state.

  4. Data Aggregation:

    • It summarizes the data by grouping events based on the initiating process's version information (like company name, product name, and file description).
    • It collects a sample of device names and remote URLs involved in these events.

  5. File Profile Invocation: It uses a function (FileProfile) to gather additional information about the initiating process based on its SHA1 hash.

  6. Exclusions:

    • It excludes events where the global prevalence of the process is high, especially if the process is signed and has been seen before the last hour.
    • It also excludes processes from certain companies or with specific original file names, although these exclusion lists are currently empty.

  7. Output: Finally, it projects a wide range of details about each event, including timestamps, device information, network details, and process details, for further analysis or reporting.

Overall, the query is designed to help identify and investigate unusual or potentially malicious network activities by focusing on specific patterns and characteristics of network events.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 11, 2026

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

letdynamicmatches regexstrcat_arrayagoisnotemptysummarizearg_minmaxarray_sort_ascmake_setbyinvokewherenotinproject

Actions