Microsoft
Cyber Campfire Necessities: Part 3
August 23, 2023 | 1 min read
Micah Heaton
Executive Director, Managed Security Center of Excellence
If you missed Cyber Campfire Necessities: Part 1, we started with the most important things— queries and S’mores and how to see if we overcooked our marshmallows. In Cyber Campfire Necessities: Part 2, whether you’re just toasting your first query or a seasoned Sentinel Ninja, we listened for crashes, bangs, and booms to see if we could identify what went “bump” in your ingestion. In Part 3, we find the screaming banshee!
A screaming banshee is bad on the ears and log tables. Every environment has its ‘loud’ ghosts or ghouls that make for a great cyber campfire story… put on your ghostbusters proton pack and let’s go hunting for the sounds of the banshee (device) from the bog (your network).
=====================================================================
Syslog
| where TimeGenerated > ago(7d)
| summarize count() by Computer
=====================================================================
Let’s take a look at how we track down our keening banshee from the bog from the past week…
=====================================================================
Syslog //<--Define the table to query (Syslog)
| where TimeGenerated > ago(7d) //<--Define how far back to query
| summarize count() by Computer //<--Return Syslog count per computer
=====================================================================
Campfire Tip:
By changing Line 1, you can run the query against different tables without re-writing the entire query to find your screaming banshee of the bog.
Try running it against additional tables to see who’s wailing.
Summary
We broke down the ectoplasmic residue of basic KQL syntax to make the perfect query and reveal the screaming banshees of your bog. Whether it’s a horror story is up to you.
In this post, we broke down the KQL s’more as follows:
Defining table to query against (think of it like the surrounding crackers, it’s what’s inside that counts)
Defining time period (Hershey’s, of course)
Summarizing the number of hits to this table by device (gotta get the chocolate to marshmallow ratio just right for it to make sense, you know?)
BlueVoyant Summer Camp for Microsoft Sentinel
Related Reading
Company News
BlueVoyant Awarded Microsoft Worldwide Security Partner of the Year, Recognizing Leading-Edge Cyber Defense
June 27, 2024 | 2 min read
Microsoft
Microsoft Copilot for Security – Use Cases for Data Governance Teams Working with Auditors and Consultants
April 22, 2024 | 5 min read