kql that maps vuln server to Defender TI IOCs to Sentinel events

Question

Hi there, I'd like to know if there's a kql genius out there (like @Clive Watson - MSFT ) that would know if it's possible to create a kql query for joining/correlating the following:

• Defender for Cloud (or Cloud Security Explorer) - vulnerable VM mapped to CVE.
• Defender Threat Intelligence - Known IOCs (IPs) that map to the above CVE
• Sentinel - any alerts showing the above IOC(s) observed communicating with the above vulnerable VM

If that's possible, I think it would be an automated way to do much of what is discussed in this article:

https://techcommunity.microsoft.com/t5/microsoft-defender-threat/defender-for-cloud-and-defender-for-threat-intelligence-are/ba-p/3723047

Thanks very much!

Answer 1

Hi,

I dont have all the parts but this ARG query will get the CVE (possibly enriched from MDTI - but I haven't looked at that enough to be sure) from Defender for Cloud.
In a workbook you could merge this with SecurityAlert table. But for a KQL Query you'd probably have to create a Table with this info before hand (using a Playbook)?

Thanks Clive (no longer at MSFT) , new user name: clivewatson-9831

securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract("providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id)
| where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f"
//| where properties.status.severity == '{selectSeverity}' or "Show All" == "{selectSeverity}"
| extend subAssessmentName=tostring(properties.displayName), 
            resourceId = tostring(properties.resourceDetails.id), 
            cve = tostring(properties.additionalData.cve),
            statusSeverity = tostring(properties.status.severity),
            statusCode = tostring(properties.status.code),
            vendorTitle = tostring(properties.additionalData.vendorReferences)
| where cve has "CVE-"