Quantcast
Viewing all articles
Browse latest Browse all 178

Repositório de Consultas KQL

Algumas consultas KQL que usamos para o Log Analytics e Resource Graph são simples mas nos fornecem todos os dados que precisamos para uma decisão ou servir de base para hunting.

Alem de algumas consultas "curiosas" que já precisei montar, tambem tenho as que uso em treinamento do Microsoft Defender for Cloud como exemplo de diferentes tipos de consultas.

Decidi juntar todas elas em um repositório no GitHub para ficar fácil a consulta e deixar disponivel para a comunidade.

msincic/scripts-KQL: Public KQL Scripts (github.com)

Nome do ScriptTipoProposito
Agents_Last_CommLog AnalyticsList type of agent (MMA or AMA) and last communication of all computers monitored
Array-Text-ExtractLog AnalyticsExamples of extract data in arrays or text columns
Attack-ExamplesLog AnalyticsExample of detect attacks in logs (SQL Injection)
Emails-Threat-IntelLog AnalyticsDetect malicious IPs and domains in email, URL or sender
Events_Chart_ByDayLog AnalyticsExample of chat to detect anomolous events registered
Graph_examplesLog AnalyticsExamples of graph (bar, time, pie)
List_CWPPResource GraphList workload protections in all subscriptions to map a coverage protection in your environment
List-Deployments-and-DetailsLog AnalyticsList all deploymentos to audit object creations and details about dependant objects in the same deploy
M365_OperationsLog AnalyticsList operations in M365 and IP/DLP actions
More-Changed-ComputersLog AnalyticsList top 10 computers and users with changed configs
PIM_IncludedLog AnalyticsList activities of include users in PIM
PoliciesAssigned-StateResource GraphList policies applied and compliance states. You can filter for compliance or non-compliance to addresses actions
Policies-ListResource GraphList policies and details to export and use for determine assigments in your enviromnent
Purview-IP-EventsLog AnalyticsList all activities in Purview (IP, DLP, IRM, etc)
Tables-Ingest-Day-by-DayLog AnalyticsList ingest data in all tables by day with indicator of billied or non-billed
ThreatIntel-ExamplesLog AnalyticsSamples to use Microsoft Defender Threat Intel table to detect malicious IP in sign-ins and consult tables
Usage_TablesLog AnalyticsGraph to identify and understand tables growing
VM_Process_CommLog AnalyticsList of process communicated in all computers with IP and Port, source, destination, bytes send and received
VMs+Scale Set User IdentityResource GraphList VMs and Scale Sets using User Identity to mapped permissions

Viewing all articles
Browse latest Browse all 178

Trending Articles