Here are 10 advanced KQL (Kusto Query Language) queries that can be used in Microsoft Sentinel for enhanced security monitoring and threat detection. Each query is designed to address specific security scenarios and provide actionable insights.
1. Detecting Suspicious PowerShell Activity
This query identifies potentially malicious PowerShell commands that could indicate an attack.
SecurityEvent
| where EventID == 4104
| where CommandLine contains "Invoke-Mimikatz" or CommandLine contains "Invoke-Expression"
| project TimeGenerated, Computer, Account, CommandLineExample Output:
| TimeGenerated | Computer | Account | CommandLine |
|---|---|---|---|
| 2025-05-12 13:00:00 | PC1 | user1 | Invoke-Mimikatz |
| 2025-05-12 12:30:00 | PC2 | admin | Invoke-Expression -Command |
2. Detecting Lateral Movement
This query detects lateral movement attempts by identifying unusual remote desktop protocol (RDP) connections.
SecurityEvent
| where EventID == 4624 and LogonType == 10
| summarize Count = count() by Account, Computer, bin(TimeGenerated, 1h)
| where Count > 5
| order by Count descExample Output:
| Account | Computer | TimeGenerated | Count |
|---|---|---|---|
| user2 | PC3 | 2025-05-12 13:00:00 | 10 |
| admin | PC4 | 2025-05-12 12:00:00 | 8 |
3. Detecting Data Exfiltration via HTTP
This query identifies potential data exfiltration by monitoring large amounts of data sent over HTTP.
NetworkSession
| where Protocol == "HTTP" and BytesSent > 1000000
| summarize Count = count() by SourceIP, DestinationIP, bin(TimeGenerated, 1h)
| order by Count descExample Output:
| SourceIP | DestinationIP | TimeGenerated | Count |
|---|---|---|---|
| 192.168.1.2 | 10.0.0.2 | 2025-05-12 13:00:00 | 3 |
| 192.168.1.3 | 10.0.0.3 | 2025-05-12 12:00:00 | 2 |
4. Detecting Unusual VPN Connections
This query identifies unusual VPN connections that could indicate unauthorised access.
VPNLogs
| where Action == "Connect" and Location not in ("US", "UK")
| summarize Count = count() by User, Location, bin(TimeGenerated, 1h)
| order by Count descExample Output:
| User | Location | TimeGenerated | Count |
|---|---|---|---|
| user3 | China | 2025-05-12 13:00:00 | 5 |
| user4 | Russia | 2025-05-12 12:00:00 | 3 |
5. Detecting Privilege Escalation Attempts
This query identifies attempts to escalate privileges by monitoring changes to user roles.
AuditLogs
| where OperationName == "Add member to role" or OperationName == "Remove member from role"
| summarize Count = count() by TargetResources, bin(TimeGenerated, 1h)
| order by Count descExample Output:
| TargetResources | TimeGenerated | Count |
|---|---|---|
| user5 | 2025-05-12 13:00:00 | 4 |
| user6 | 2025-05-12 12:00:00 | 2 |
6. Detecting Suspicious Process Execution
This query identifies suspicious processes that could indicate malware or unauthorised activity.
SecurityEvent
| where EventID == 4688
| where NewProcessName contains "cmd.exe" or NewProcessName contains "powershell.exe"
| project TimeGenerated, Computer, Account, NewProcessNameExample Output:
| TimeGenerated | Computer | Account | NewProcessName |
|---|---|---|---|
| 2025-05-12 13:00:00 | PC5 | user7 | cmd.exe |
| 2025-05-12 12:30:00 | PC6 | admin | powershell.exe |
7. Detecting DDoS Attacks
This query identifies potential Distributed Denial of Service (DDoS) attacks by monitoring high volumes of network traffic.
NetworkSession
| where BytesReceived > 10000000
| summarize Count = count() by DestinationIP, bin(TimeGenerated, 1h)
| order by Count descExample Output:
| DestinationIP | TimeGenerated | Count |
|---|---|---|
| 10.0.0.4 | 2025-05-12 13:00:00 | 6 |
| 10.0.0.5 | 2025-05-12 12:00:00 | 4 |
8. Detecting Suspicious File Modifications
This query identifies suspicious file modifications that could indicate tampering or unauthorised changes.
FileAuditLogs
| where ActionType == "FileModified"
| summarize Count = count() by FileName, bin(TimeGenerated, 1h)
| where Count > 10
| order by Count descExample Output:
| FileName | TimeGenerated | Count |
|---|---|---|
| sensitive.docx | 2025-05-12 13:00:00 | 15 |
| report.xlsx | 2025-05-12 12:00:00 | 12 |
9. Detecting Unauthorised Access to Sensitive Data
This query identifies unauthorised access attempts to sensitive data by monitoring access logs.
DataAccessLogs
| where ResourceType == "SensitiveData" and Action == "Access"
| summarize Count = count() by User, Resource, bin(TimeGenerated, 1h)
| order by Count descExample Output:
| User | Resource | TimeGenerated | Count |
|---|---|---|---|
| user8 | confidential | 2025-05-12 13:00:00 | 7 |
| user9 | financial | 2025-05-12 12:00:00 | 5 |
10. Detecting Anomalous Network Traffic
This query identifies anomalous network traffic patterns that could indicate a security threat.
NetworkTraffic
| where BytesSent > 1000000 or BytesReceived > 1000000
| summarize Count = count() by SourceIP, DestinationIP, bin(TimeGenerated, 1h)
| order by Count descExample Output:
| SourceIP | DestinationIP | TimeGenerated | Count |
|---|---|---|---|
| 192.168.1.4 | 10.0.0.6 | 2025-05-12 13:00:00 | 4 |
| 192.168.1.5 | 10.0.0.7 | 2025-05-12 12:00:00 | 3 |
These advanced KQL queries provide powerful tools for security analysts to detect and respond to various security threats. By leveraging these queries, analysts can enhance their ability to monitor, detect, and mitigate potential security incidents effectively.