Query Details

Multi Cloud Defender XDR KQL Threat Detection

Query

// Multi-Cloud DefenderXDR KQL Threat Detection
// https://www.linkedin.com/posts/activity-7198893996356640769-cow0/

// A composite detection using MDCA threat intelligence to hunt for activities in various cloud environments and resources covered by MDC. 🤯

let MaliciousIPs =
CloudAppEvents
| where Timestamp > ago(30d)
| where IPTags has_any ("Brute force attacker", "Password spray attacker", "Malicious", "Tor", "Botnet", "Darknet scanning IP", "Malware C&C server") or IPCategory == "Risky"
| distinct IPAddress;
CloudAuditEvents
| where Timestamp > ago(30d)
| where IPAddress has_any(MaliciousIPs)


// MITRE ATT&CK Mapping

// Based on the activities and tags mentioned, here are the relevant MITRE ATT&CK techniques:

// Brute Force Attacker:
// T1110: Brute Force - Attempting to gain access to accounts by repeatedly trying different passwords.
// Password Spray Attacker:
// T1110.003: Password Spraying - Trying commonly used passwords against many accounts.
// Malicious IPs (General):
// T1071: Application Layer Protocol - Using standard application layer protocols to communicate with command and control servers.
// T1090: Proxy - Using proxies to obscure the origin of malicious traffic.
// Tor:
// T1090.003: Multi-hop Proxy - Using multiple proxies to hide the origin of traffic, often associated with Tor.
// Botnet:
// T1071.001: Web Protocols - Using web protocols for command and control communication.
// T1102: Web Service - Using web services for command and control.
// Darknet Scanning IP:
// T1046: Network Service Scanning - Scanning for open ports and services on the network.
// Malware C&C Server:
// T1071: Application Layer Protocol - Communicating with command and control servers using standard protocols.
// T1105: Ingress Tool Transfer - Transferring tools or files from an external system into a compromised environment.

Explanation

This query is designed to detect potentially malicious activities in cloud environments by leveraging threat intelligence data. Here's a simplified breakdown:

  1. Identify Malicious IPs:

    • The query first looks at cloud application events from the past 30 days.
    • It filters out IP addresses that are tagged as suspicious or risky, such as those involved in brute force attacks, password spraying, or associated with malicious activities like botnets or malware command and control (C&C) servers.
    • It creates a list of these distinct malicious IP addresses.
  2. Check Cloud Audit Events:

    • The query then examines cloud audit events from the same 30-day period.
    • It checks if any of these events involve the previously identified malicious IP addresses.
  3. MITRE ATT&CK Techniques:

    • The query maps the detected activities to specific MITRE ATT&CK techniques, which are a framework for understanding cyber adversary behavior.
    • Techniques include brute force attacks, password spraying, using proxies and Tor for anonymity, botnet communications, network scanning, and malware C&C operations.

In essence, this query helps security analysts identify and investigate suspicious activities across cloud environments by correlating IP addresses with known threat behaviors.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEventsCloudAuditEvents

Keywords

CloudAppEventsAuditIPTagsCategoryAddressTimestampMaliciousIPs

Operators

let|where>agohas_anyor==distinct

Actions

GitHub