Cyber Campfire Necessities: Part 3

If you missed Cyber Campfire Necessities: Part 1, we started with the most important things— queries and S’mores and how to see if we overcooked our marshmallows. In Cyber Campfire Necessities: Part 2, whether you’re just toasting your first query or a seasoned Sentinel Ninja, we listened for crashes, bangs, and booms to see if we could identify what went “bump” in your ingestion. In Part 3, we find the screaming banshee!

A screaming banshee is bad on the ears and log tables. Every environment has its ‘loud’ ghosts or ghouls that make for a great cyber campfire story… put on your ghostbusters proton pack and let’s go hunting for the sounds of the banshee (device) from the bog (your network).

=====================================================================

Syslog

| where TimeGenerated > ago(7d)

| summarize count() by Computer

=====================================================================

Let’s take a look at how we track down our keening banshee from the bog from the past week…

=====================================================================

Syslog //<--Define the table to query (Syslog)

| where TimeGenerated > ago(7d) //<--Define how far back to query

| summarize count() by Computer //<--Return Syslog count per computer

=====================================================================

Campfire Tip:

• By changing Line 1, you can run the query against different tables without re-writing the entire query to find your screaming banshee of the bog.

• Try running it against additional tables to see who’s wailing.

We broke down the ectoplasmic residue of basic KQL syntax to make the perfect query and reveal the screaming banshees of your bog. Whether it’s a horror story is up to you.

In this post, we broke down the KQL s’more as follows:

• Defining table to query against (think of it like the surrounding crackers, it’s what’s inside that counts)

• Defining time period (Hershey’s, of course)

• Summarizing the number of hits to this table by device (gotta get the chocolate to marshmallow ratio just right for it to make sense, you know?)