Skip to content

A guide to using Azure Data Explorer and KQL for DFIR

Notifications You must be signed in to change notification settings

reprise99/kql-for-dfir

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

kql-for-dfir

The concept behind using KQL for DFIR is simple. We want to leverage the hunting capabilities of KQL to aid in our incident response or forensic investigations.

To do that, we collect forensic data using a number of different tools. That forensic data could include sign in data, event logs, current configurations and many other items. It could also come in various forms, such as JSON, CSV or just text files.

We then ingest that data into Azure Data Explorer, and we are then able to query it using KQL. At that point, we can go hunting.

You can sign up to a free instance of Azure Data Explorer here(https://aka.ms/kustofree)

This guide will step you through using KQL for DFIR in three steps. Collect your data, ingest that data into Azure Data Explorer, then go hunting.

For some investigations you may want the data from many sources. For an Active Directory incident you likely want Active Directory specific data as well as information about the Windows host itself. For an Office 365 breach, you may want also both Azure Active Directory and Active Directory logs depending on your identity configuration.

You may also have a SIEM such as Microsoft Sentinel. This is not designed to replace that, but to be used as another data source during incident response. Your SIEM may not have complete coverage of all data required for your investigation. We will also be taking forensic information directly from devices, which won't be in your SIEM.

The following KQL for DFIR guides have been written so far.

Use the Azure AD IR PowerShell module and other log sources to investigate Azure AD.

Use Defender for Endpoint, Windows event logs and forensic tools to investigate a particular device.

Use Event Logs, DNS logs and Defender for Identity to investigate Active Directory.

Use data from Exchange Online, Security and Compliance centre and Azure Active Directory.

Examples on how to query across separate Azure Data Explorer databases to join datasets together.

Coming Soon

5. Active Directory Certificate Services

6. Windows Network Policy Server

About

A guide to using Azure Data Explorer and KQL for DFIR

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published