Query Details

Microsoft Defender for Endpoint - Zeek

MDE Zeek

Query

DeviceNetworkEvents
| where ActionType contains 'ConnectionInspected'
| distinct ActionType

About this query

Explanation

This document provides a series of KQL (Kusto Query Language) queries designed to enhance network security monitoring using Microsoft Defender for Endpoint and Zeek data. Here's a simplified summary of the queries and their purposes:

  1. Identify Connection Types: The first query identifies distinct types of network events where connections are inspected.

  2. Detect Rare User Agents: This query looks for uncommon user agent strings in outbound HTTP requests, which could indicate suspicious activity.

  3. Trace Suspicious User Agents: If a suspicious user agent is found, a follow-up query helps identify the user, process, or command line that initiated the connection.

  4. Detect File Downloads: This query identifies HTTP requests for downloading executable or compressed files, which could be part of malicious activities.

  5. SSH Brute Force Detection: The query detects potential brute-force attacks on SSH by identifying IP pairs with multiple failed authentication attempts.

  6. Identify SSH Software: This query lists server and client software used in SSH connections to detect unauthorized or vulnerable software.

  7. ICMP Data Leakage: The query checks for high data uploads over ICMP, which might indicate data exfiltration.

  8. Ping Sweep Detection: This query identifies potential ping sweep activities by looking for ICMP requests to multiple internal IPs from a single source.

  9. Identify ICMP Origin Process: This query attempts to find processes that loaded network-related binaries, which might be responsible for ICMP traffic.

  10. HTTP POST Requests: A simple query to list all HTTP POST requests, useful for understanding data sent from devices.

  11. Phishing Detection: This query checks if a device named "ClickHappy" sent an HTTP POST request to a known phishing IP, indicating a potential phishing attack.

  12. Search for Specific User Agents: This query identifies HTTP requests with a specific user agent string, useful for tracking known malicious agents.

  13. External Data Integration: The query demonstrates how to integrate external data (e.g., a list of malicious user agents) into the analysis.

  14. DNS Query Inspection: This query inspects DNS queries to identify requests to specific domains, useful for detecting malicious domain lookups.

  15. Inbound Internet Scans: This query identifies devices exposed to the internet and checks for connections with known bad IPs.

  16. Network Connections with Bad IPs: After identifying bad IPs, this query looks for other network connections involving these IPs.

  17. FTP and SMTP Parsing: These queries parse FTP and SMTP connections to extract detailed information about commands, users, and email headers.

Overall, these queries are designed to enhance network security monitoring by identifying suspicious activities, detecting potential threats, and integrating external threat intelligence data.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 19, 2023

Tables

DeviceNetworkEvents DeviceImageLoadEvents ThreatIntelligenceIndicator

Keywords

Devices

Operators

`|``where``contains``distinct``==``extend``todynamic()``tostring()``summarize``dcount()``by``sort``asc``project``bin()``join``kind``on``project-away``matches regex``@``count()``>``desc``make_set()``array_length()``ipv4_is_private()``=~``let``externaldata()``@[]``with``format=``in``geo_info_from_ip_address()``iff()``isempty()``isnotempty()``startswith``false``!``top``format_bytes()``2``MB``arg_max()``mv-expand``split()``extract()``strlen()``!=``>=``<=``ago()``now()`

Actions

GitHub