{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Kusto Analysis\n", "\n", "The aim of this notebook is to provide an example of analysing security data from a custom\n", "[Kusto aka Azure Data Explorer (ADE) cluster](https://docs.microsoft.com/en-us/azure/data-explorer/data-explorer-overview).\n", "\n", "Kusto/ADE is a fast and highly scalable data exploration service for log and telemetry data, hosted in Azure - and is used across Microsoft\n", "for analysing huge datasets of this sort.\n", "\n", "[Kusto Explorer](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer) is an extremely useful tool for browsing and querying Kusto databases.\n", "\n", "### Example Data\n", "\n", "We use the [Open Threat Research Forge Mordor Security Datasets](https://github.com/OTRF/Security-Datasets/), and assume that these have been\n", "loaded already into a Kusto/ADE cluster that you control.\n", "\n", "___See: [./Kusto-Ingest.ipynb](./Kusto-Ingest.ipynb) for details on data retrieval, prep and loading___." ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
Notebook setup completed with some warnings.
One or more configuration items were missing or set incorrectly.
" ], "text/plain": [ "Please run the Getting Started Guide for Azure Sentinel ML Notebooks notebook. and the msticpy configuration guide.
" ], "text/plain": [ "This notebook may still run but with reduced functionality.
" ], "text/plain": [ "\n", " | Timestamp | \n", "Hostname | \n", "ProcessId | \n", "Image | \n", "CommandLine | \n", "
---|---|---|---|---|---|
0 | \n", "2020-10-27 08:28:57.062000+00:00 | \n", "WORKSTATION5 | \n", "10164 | \n", "C:\\Users\\wardog\\Desktop\\ProcessHerpaderping.exe | \n", "ProcessHerpaderping.exe mimikatz.exe wardog.exe C:\\windows\\System32\\SnippingTool.exe | \n", "
\n", " | ProcessId | \n", "ProcessGuid | \n", "Task | \n", "Version | \n", "Domain | \n", "Keywords | \n", "AccountName | \n", "SourceName | \n", "UserID | \n", "Hostname | \n", "EventTime | \n", "ExecutionProcessID | \n", "Image | \n", "SeverityValue | \n", "Severity | \n", "EventID | \n", "EventReceivedTime | \n", "RecordNumber | \n", "SourceModuleType | \n", "ThreadID | \n", "Message | \n", "UtcTime | \n", "ProviderGuid | \n", "SourceModuleName | \n", "EventType | \n", "... | \n", "FileVersion | \n", "Description | \n", "Hashes | \n", "OriginalFileName | \n", "Product | \n", "Company | \n", "LogonGuid | \n", "ParentCommandLine | \n", "TerminalSessionId | \n", "CommandLine | \n", "ParentProcessGuid | \n", "ParentProcessId | \n", "ParentImage | \n", "IntegrityLevel | \n", "CurrentDirectory | \n", "LogonId | \n", "Timestamp | \n", "Port | \n", "Tags | \n", "Host | \n", "ProcessID | \n", "ERROR_EVT_UNRESOLVED | \n", "Type | \n", "TimeCreated | \n", "Level | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "8924 | \n", "{39e4a257-1289-5f98-482d-000000000700} | \n", "1 | \n", "NaN | \n", "\n", " | 0x8000000000000000 | \n", "\n", " | Microsoft-Windows-Sysmon | \n", "\n", " | WORKSTATION5 | \n", "NaT | \n", "NaN | \n", "C:\\Users\\wardog\\Desktop\\wardog.exe | \n", "NaN | \n", "\n", " | 1 | \n", "NaT | \n", "NaN | \n", "\n", " | NaN | \n", "Process Create:\\r\\nRuleName: -\\r\\nUtcTime: 2020-10-27 12:28:57.129\\r\\nProcessGuid: {39e4a257-128... | \n", "2020-10-27 12:28:57.129000+00:00 | \n", "{5770385f-c22a-43e0-bf4c-06f5698ffbd9} | \n", "\n", " | \n", " | ... | \n", "- | \n", "- | \n", "SHA1=350B60E6C16B72ECF64BBB5413D8A3DD6D76F33B,MD5=D57CA86AC22DC057456ACC7FDE4E492F,SHA256=6635E4... | \n", "- | \n", "- | \n", "- | \n", "{39e4a257-f1ac-5f8b-d961-0c0000000000} | \n", "ProcessHerpaderping.exe mimikatz.exe wardog.exe C:\\windows\\System32\\SnippingTool.exe | \n", "2.0 | \n", "\"wardog.exe\" | \n", "{39e4a257-1289-5f98-472d-000000000700} | \n", "10164.0 | \n", "C:\\Users\\wardog\\Desktop\\ProcessHerpaderping.exe | \n", "High | \n", "C:\\Users\\wardog\\Desktop\\ | \n", "0xc61d9 | \n", "2020-10-27 08:28:57.420000+00:00 | \n", "NaN | \n", "\n", " | \n", " | NaN | \n", "NaN | \n", "\n", " | 2020-10-27 08:28:57.420000+00:00 | \n", "4.0 | \n", "
1 rows × 56 columns
\n", "\n", " | Timestamp | \n", "ProcessId | \n", "ImageLoaded | \n", "Signature | \n", "Description | \n", "
---|---|---|---|---|---|
0 | \n", "2020-10-27 08:28:57.556000+00:00 | \n", "8924 | \n", "C:\\Users\\wardog\\Desktop\\wardog.exe | \n", "Microsoft Windows | \n", "mimikatz for Windows | \n", "
1 | \n", "2020-10-27 08:28:57.557000+00:00 | \n", "8924 | \n", "C:\\Windows\\System32\\ntdll.dll | \n", "Microsoft Windows | \n", "NT Layer DLL | \n", "
2 | \n", "2020-10-27 08:28:57.557000+00:00 | \n", "8924 | \n", "C:\\Windows\\System32\\kernel32.dll | \n", "Microsoft Windows | \n", "Windows NT BASE API Client DLL | \n", "
3 | \n", "2020-10-27 08:28:57.557000+00:00 | \n", "8924 | \n", "C:\\Windows\\System32\\KernelBase.dll | \n", "Microsoft Windows | \n", "Windows NT BASE API Client DLL | \n", "
4 | \n", "2020-10-27 08:28:57.585000+00:00 | \n", "8924 | \n", "C:\\Windows\\System32\\sechost.dll | \n", "Microsoft Windows | \n", "Host for SCM/SDDL/LSA Lookup APIs | \n", "
\n", " | SourceImage | \n", "TargetImage | \n", "Count | \n", "
---|---|---|---|
0 | \n", "C:\\Windows\\System32\\csrss.exe | \n", "C:\\Windows\\System32\\svchost.exe | \n", "197 | \n", "
1 | \n", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe | \n", "C:\\Windows\\System32\\notepad.exe | \n", "89 | \n", "
2 | \n", "C:\\Windows\\System32\\csrss.exe | \n", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe | \n", "4 | \n", "
3 | \n", "C:\\Windows\\System32\\csrss.exe | \n", "C:\\WindowsAzure\\SecAgent\\WaSecAgentProv.exe | \n", "3 | \n", "
4 | \n", "C:\\Windows\\System32\\csrss.exe | \n", "C:\\Windows\\System32\\spoolsv.exe | \n", "3 | \n", "
\n", " | SourceImage | \n", "TargetImage | \n", "Count | \n", "
---|---|---|---|
0 | \n", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe | \n", "C:\\Windows\\System32\\notepad.exe | \n", "89 | \n", "
1 | \n", "C:\\Windows\\System32\\dwm.exe | \n", "C:\\Windows\\System32\\csrss.exe | \n", "3 | \n", "
2 | \n", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe | \n", "C:\\Windows\\System32\\notepad.exe | \n", "1 | \n", "
3 | \n", "C:\\Program Files\\Internet Explorer\\iexplore.exe | \n", "<unknown process> | \n", "1 | \n", "
4 | \n", "C:\\Windows\\System32\\wuauclt.exe | \n", "<unknown process> | \n", "1 | \n", "
\n", " | Timestamp | \n", "Hostname | \n", "SourceProcessId | \n", "SourceImage | \n", "TargetProcessId | \n", "TargetImage | \n", "
---|---|---|---|---|---|---|
0 | \n", "2020-10-23 03:12:04.474000+00:00 | \n", "WORKSTATION5 | \n", "8972 | \n", "C:\\Users\\wardog\\Desktop\\PurpleSharp.exe | \n", "9908 | \n", "C:\\Windows\\System32\\notepad.exe | \n", "
\n", " | Timestamp | \n", "Hostname | \n", "ParentProcessId | \n", "ProcessId | \n", "Image | \n", "CommandLine | \n", "
---|---|---|---|---|---|---|
0 | \n", "2020-10-23 03:12:04.930000+00:00 | \n", "WORKSTATION5 | \n", "9908.0 | \n", "5232 | \n", "C:\\Windows\\System32\\PING.EXE | \n", "\"C:\\Windows\\System32\\ping.exe\" 127.0.0.1 -n 10 | \n", "
\n", " | Hostname | \n", "EventCount | \n", "
---|---|---|
0 | \n", "MORDORDC.mordor.local | \n", "13 | \n", "
1 | \n", "WORKSTATION6.mordor.local | \n", "4 | \n", "
2 | \n", "WORKSTATION5.mordor.local | \n", "10 | \n", "
3 | \n", "WORKSTATION5.theshire.local | \n", "798 | \n", "
4 | \n", "MORDORDC.theshire.local | \n", "43 | \n", "
5 | \n", "WORKSTATION6.theshire.local | \n", "232 | \n", "
6 | \n", "WORKSTATION5 | \n", "119 | \n", "
7 | \n", "WORKSTATION7.theshire.local | \n", "7 | \n", "
8 | \n", "MXS01.azsentinel.local | \n", "13 | \n", "
\n", " | Hostname | \n", "EventCount | \n", "
---|---|---|
0 | \n", "WORKSTATION5.theshire.local | \n", "16 | \n", "
1 | \n", "MORDORDC.theshire.local | \n", "13 | \n", "
2 | \n", "WORKSTATION6.theshire.local | \n", "15 | \n", "
\n", " | Timestamp | \n", "ProcessId | \n", "Image | \n", "RegistryEventType | \n", "TargetObject | \n", "Details | \n", "
---|---|---|---|---|---|---|
0 | \n", "2020-07-22 04:19:05.132000+00:00 | \n", "9076 | \n", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe | \n", "SetValue | \n", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater | \n", "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x=$((gp HKLM:SOFTWARE\\Microsoft... | \n", "
1 | \n", "2020-09-04 07:06:22.490000+00:00 | \n", "5376 | \n", "C:\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe | \n", "SetValue | \n", "HKU\\S-1-5-21-3125456671-949036322-3048627137-1104\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\... | \n", "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \"$x=$((gp HKCU:Software\\Microsoft... | \n", "
2 | \n", "2020-09-04 07:09:05.126000+00:00 | \n", "3200 | \n", "C:\\Program Files\\Windows Defender\\MsMpEng.exe | \n", "SetValue | \n", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefender | \n", "\"%%ProgramFiles%%\\Windows Defender\\MSASCuiL.exe\" | \n", "
3 | \n", "2020-09-04 20:45:18.639000+00:00 | \n", "3176 | \n", "C:\\Program Files\\Windows Defender\\MsMpEng.exe | \n", "SetValue | \n", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsDefender | \n", "\"%%ProgramFiles%%\\Windows Defender\\MSASCuiL.exe\" | \n", "
\n", " | Timestamp | \n", "ParentProcessId | \n", "Image | \n", "CommandLine | \n", "
---|---|---|---|---|
0 | \n", "2020-07-22 03:27:54.604000+00:00 | \n", "9384.0 | \n", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe | \n", "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noP -sta -w 1 -enc SQBGACgAJABQAFM... | \n", "
\n", " | ProcessId | \n", "ProcessGuid | \n", "Task | \n", "Version | \n", "Domain | \n", "Keywords | \n", "AccountName | \n", "SourceName | \n", "UserID | \n", "Hostname | \n", "EventTime | \n", "ExecutionProcessID | \n", "Image | \n", "SeverityValue | \n", "Severity | \n", "EventID | \n", "EventReceivedTime | \n", "RecordNumber | \n", "SourceModuleType | \n", "ThreadID | \n", "Message | \n", "UtcTime | \n", "ProviderGuid | \n", "SourceModuleName | \n", "EventType | \n", "... | \n", "FileVersion | \n", "Description | \n", "Hashes | \n", "OriginalFileName | \n", "Product | \n", "Company | \n", "LogonGuid | \n", "ParentCommandLine | \n", "TerminalSessionId | \n", "CommandLine | \n", "ParentProcessGuid | \n", "ParentProcessId | \n", "ParentImage | \n", "IntegrityLevel | \n", "CurrentDirectory | \n", "LogonId | \n", "Timestamp | \n", "Port | \n", "Tags | \n", "Host | \n", "ProcessID | \n", "ERROR_EVT_UNRESOLVED | \n", "Type | \n", "TimeCreated | \n", "Level | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "\n", " | {a158f72c-eb20-5e02-0000-0010427a7100} | \n", "1 | \n", "1.0 | \n", "NT AUTHORITY | \n", "-9223372036854775808 | \n", "SYSTEM | \n", "Microsoft-Windows-Sysmon | \n", "S-1-5-18 | \n", "ACCT001.shire.com | \n", "2019-12-24 23:52:48+00:00 | \n", "NaN | \n", "C:\\Windows\\System32\\wermgr.exe | \n", "2.0 | \n", "INFO | \n", "1 | \n", "2019-12-24 23:52:49+00:00 | \n", "172776.0 | \n", "im_msvistalog | \n", "3992.0 | \n", "Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-12-25 04:52:48.400\\r\\nProcessGuid: {a158f72c-eb20... | \n", "2019-12-25 04:52:48.400000+00:00 | \n", "{5770385F-C22A-43E0-BF4C-06F5698FFBD9} | \n", "eventlog | \n", "INFO | \n", "... | \n", "10.0.18362.1 (WinBuild.160101.0800) | \n", "Windows Problem Reporting | \n", "SHA1=01C782E1D351F4955571FA4CF4DFCDB16DDA78D5,MD5=5FD1D66E944223729B6C7CADCC193915,SHA256=3A7AB2... | \n", "WerMgr | \n", "Microsoft® Windows® Operating System | \n", "Microsoft Corporation | \n", "{a158f72c-6e53-5e02-0000-0020e7030000} | \n", "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule | \n", "0.0 | \n", "C:\\Windows\\system32\\wermgr.exe -upload | \n", "{a158f72c-6e54-5e02-0000-0010770f0100} | \n", "1448.0 | \n", "C:\\Windows\\System32\\svchost.exe | \n", "System | \n", "C:\\Windows\\system32\\ | \n", "0x3e7 | \n", "2019-12-25 04:52:49.358000+00:00 | \n", "49719.0 | \n", "\n", " | ip-172-18-39-102.ec2.internal | \n", "3284.0 | \n", "NaN | \n", "nxlog-mordor | \n", "NaT | \n", "NaN | \n", "
1 rows × 56 columns
\n", "