Blue Teaming with Kusto Query Language (KQL)

Threat Hunting has become an integral part of Blue teamers. Knowing the tools and techniques especially related to searching across vast amount of logs to find actionable insights and which can pivot to gather context on investigating existing incident or leading to become potential anomaly is an essential skill for success of any defender.
In this presentation, we will introduce Kusto Query Language (KQL) which has been de-facto language of hunting across variety of data sources such as Microsoft Defender for Endpoint, Azure Sentinel, Microsoft Threat Protection. Knowing the language and mastering key skills required to effectively hunt across variety of Microsoft Threat protection solutions can be hugely beneficial for blue teamers. We will walk through Practical Threat Hunting Queries on multiple Cloud (Azure, AWS) , On-Premise (Windows, Linux) and Network data sources leveraging KQL features to effectively hunt and gather faster results. Apart from getting familiar with syntax, we will demonstrate how to use advanced features of KQL such as Time Series Analysis , windowing functions from GUI to find anomalous behavior. Lastly we will also showcase KQL programmatic interfaces such as Jupyter notebooks to do threat hunting at Scale by importing multiple KQL queries , execute them and gather results in automated fashion.


Ashwin Patil

Ashwin Patil currently works as Senior Program Manager for Microsoft Threat Intelligence Center (MSTIC) and has over 10 years of experience entirely focused on Security monitoring and Incident Response defending enterprise networks. In his current role, he primarily works on threat hunting , detection research in KQL (Kusto Query Language) for Azure Sentinel and also develop Jupyter notebooks written in Python to do threat hunting and investigation across variety of cloud and on-premise security event log data sources. He has Bachelor`s degree in Computer Engineering and holds various SANS certifications such as GCIA, GCFE, GCIH in the field of Digital Forensics and Incident Response (DFIR).

Friday Oct 30, 2020 - 01:45 PM CDT

Level 0, Blue Team Village