Bab 4

Membuat Queries untuk Microsoft

Sentinel dengan menggunakan
Kusto Query Language (KQL)
 Daftar Isi

1. Membangun KQL statements untuk

Microsoft Sentinel
2. Menganalisa hasil Query dengan
Insert picture/chart
menggunakan KQL
3. Membangun multi-table statements
dengan menggunakan KQL
4. Bekerja menggunakan string data
dalam penggunaan KQL statements
 Bab 4
Sub-bab 1
Membangun KQL
Statements untuk
Microsoft Sentinel
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Membangun KQL statements

2. Mencari log files untuk security events dengan
menggunakan KQL
3. Pencarian filter berdasarkan event time, severity, domain,
dan data terkait lainnya dengan menggunakan KQL
The Kusto Query Language statement structure
A KQL query is a read-only request to process data and return results. The request is stated in plain
text, using a data-flow model designed to make the syntax easy to read, write, and automate.

© Copyright Microsoft Corporation. All rights reserved.

Use the table reference

● SecurityEvent

● SecurityAlert

© Copyright Microsoft Corporation. All rights reserved.

Use the search operator

● search "err"

● search in (SecurityEvent,SecurityAlert,A*) "err"

© Copyright Microsoft Corporation. All rights reserved.

Use the where operator
● SecurityEvent
● | where TimeGenerated > ago(1d)

● SecurityEvent
● | where TimeGenerated > ago(1h) and EventID == "4624"

● SecurityEvent
● | where TimeGenerated > ago(1h)
● | where EventID == 4624
● | where AccountType =~ "user"

● SecurityEvent | where EventID in (4624, 4625)

© Copyright Microsoft Corporation. All rights reserved.

Use the let statement

● let timeOffset = 7d;

● let discardEventId = 4688;
● SecurityEvent
● | where TimeGenerated > ago(timeOffset*2) and TimeGenerated <
ago(timeOffset)
● | where EventID != discardEventId

● let LowActivityAccounts =
● SecurityEvent
● | summarize cnt = count() by Account
● | where cnt < 10;
● LowActivityAccounts | where Account contains "Mal"

© Copyright Microsoft Corporation. All rights reserved.

Use the extend operator

● SecurityEvent
● | where ProcessName != "" and Process != ""
● | extend StartDir = substring(ProcessName,0,
string_size(ProcessName)-string_size(Process))

© Copyright Microsoft Corporation. All rights reserved.

Use the order by operator

● SecurityEvent
● | where ProcessName != "" and Process != ""
● | extend StartDir = substring(ProcessName,0,
string_size(ProcessName)-string_size(Process))
● | order by StartDir desc, Process asc

© Copyright Microsoft Corporation. All rights reserved.

Use the project operators

● SecurityEvent Operator Description

● | project Computer, Account project Select the columns to include,
rename or drop, and insert new
computed columns.
● SecurityEvent
● | where ProcessName != "" and project-away Select what columns from the
input to exclude from the
Process != ""
output.
● | extend StartDir =
substring(ProcessName,0, project-keep Select what columns from the
string_size(ProcessName)-string_size input to keep in the output.
(Process)) project-rename Select the columns to rename
● | order by StartDir desc, Process in the resulting output.
asc
project-reorder Set the column order in the
● | project-away ProcessName resulting output.

© Copyright Microsoft Corporation. All rights reserved.

 Bab 4
Sub-bab 2
Menganalisa Hasil
Query dengan
Menggunakan KQL
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Menyimpulkan data dengan menggunakan KQL statements

2. Memberikan visualisasi dengan menggunakan KQL statements
Use the summarize operator

● SecurityEvent Function(s) Description

● | summarize count() by Process, count(), Returns a count of the records
Computer countif() per summarization group

dcount(), Returns an estimate for the

● let timeframe = 1d;
dcountif() number of distinct values taken
● let threshold = 3; by a scalar expression in the
summary group.
● SigninLogs
● | where TimeGenerated >= ago(timeframe) avg(), avgif() Calculates the average of Expr
across the group.
● | where ResultDescription has "MFA"
● | summarize applicationCount = Max(), maxif() Returns the maximum value
dcount(AppDisplayName) by across the group.
UserPrincipalName, IPAddress
sum(), sumif() Calculates the sum of Expr
● | where applicationCount >= threshold across the group.

© Copyright Microsoft Corporation. All rights reserved.

Use the summarize operator to filter results

● SecurityEvent
● | where Computer == "SQL12.NA.contosohotels.com"
● | summarize arg_max(TimeGenerated,*) by Computer

● SecurityEvent
● | where Computer == "SQL12.NA.contosohotels.com"
● | summarize arg_min(TimeGenerated,*) by Computer

© Copyright Microsoft Corporation. All rights reserved.

Use the summarize operator to prepare data

● SecurityEvent
● | where EventID == "4624"
● | summarize make_list(Account) by Computer

● SecurityEvent
● | where EventID == "4624"
● | summarize make_set(Account) by Computer

© Copyright Microsoft Corporation. All rights reserved.

Use the render operator to create visualizations

● SecurityEvent Visualizations
● | summarize count() by Account areachart
● | render barchart barchart

columnchart
● SecurityEvent
● | summarize count() by piechart

bin(TimeGenerated, 1d) scatterchart

● | render timechart timechart

© Copyright Microsoft Corporation. All rights reserved.

 Bab 4
Sub-bab 3
Membangun
Multi-Table
Statements dengan
menggunakan KQL
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Membuat queries dengan menggunakan unions untuk

menggabungkan hasil dari multiple tables dengan
menggunakan KQL
2. Menggabungkan dua tables dengan join operator
menggunakan KQL
Use the union operator
● SecurityEvent | union SigninLogs

● SecurityEvent
● | union SigninLogs
● | summarize count()
● | project count_

● SecurityEvent
● | union (SigninLogs | summarize count()| project count_)

● union Security*
● | summarize count() by Type

© Copyright Microsoft Corporation. All rights reserved.

Use the join operator

● SecurityEvent
● | where EventID == "4624"
● | summarize LogOnCount=count() by EventID, Account
● | project LogOnCount, Account
● | join kind = inner (
● SecurityEvent
● | where EventID == "4634"
● | summarize LogOffCount=count() by EventID, Account
● | project LogOffCount, Account
● ) on Account

© Copyright Microsoft Corporation. All rights reserved.

Use the join operator (continued)
● When joining tables, you use Join flavors to determine the joining behavior. It is essential to understand
the impact of records on the left and right side based on the join flavor.

© Copyright Microsoft Corporation. All rights reserved.

 Bab 4
Sub-bab 4
Bekerja Menggunakan
String Data dalam
Penggunaan KQL
Statements
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Mengambil data dari unstructured string fields menggunakan KQL

2. Mengambil data dari structured string data menggunakan KQL
3. Membuat Functions menggunakan KQL
Extract data from unstructured string fields

Extract function:

● SecurityEvent
● | where EventID == 4672 and AccountType == 'User'
● | extend Account_Name = extract(@"^(.*\\)?([^@]*)(@.*)?$", 2, tolower(Account))
● | summarize LoginCount = count() by Account_Name
● | where Account_Name != ""
● | where LoginCount < 10

© Copyright Microsoft Corporation. All rights reserved.

Extract data from unstructured string fields (continued)
Parse function:

● let Traces = datatable(EventText:string)

● [
● "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27,
sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01,
previousLockTime=02/17/2016 08:39:01)"
● ];

● Traces
● | parse EventText with * "resourceName=" resourceName ", totalSlices="
totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ",
releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date
")" *
● | project resourceName, totalSlices, sliceNumber, lockTime, releaseTime,
previousLockTime

© Copyright Microsoft Corporation. All rights reserved.

 Extract data from structured string data
Parse dynamic fields:

● SigninLogs
● | extend OS = DeviceDetail.operatingSystem

Work with JSON data:

SigninLogs
| extend Location = todynamic(LocationDetails)
| extend City = Location.city
| extend City2 = Location["city"]
| project Location, City, City2

© Copyright Microsoft Corporation. All rights reserved.

Integrate external data

● Users
● | where UserID in ((externaldata (UserID:string) [
● @"https://storageaccount.blob.core.windows.net/storagecontainer/users.txt"
● h@"?...SAS..." // Secret token needed to access the blob
● ]))
● | ...

© Copyright Microsoft Corporation. All rights reserved.

Create Parsers using functions

● SecurityEvent
● | where EventID == 4672 and AccountType == 'User'

● // Save the query as a function named PrivLogins

● PrivLogins

© Copyright Microsoft Corporation. All rights reserved.

Akhir dari Bab 4