Configure the needed event log sources in Log Anayltics

AdamBudzinskiAZA-0329 91 Reputation points
2022-10-19T15:17:57.033+00:00

Hi,

I’m looking at sigma rules https://github.com/SigmaHQ, and how I could potentially use them for custom detection/alerting. I also came across https://uncoder.io/ (it translates Sigma rules into various SIEM, EDR and XDR formats). I’m using Log Analytics workspaces/Sentinel in Azure.

I’ve been looking for the following Sigma rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml

Used https://uncoder.io to convert it to Microsoft Sentinel Query and got this:

Event | where (ScriptBlockText contains 'Clear-History' or ((ScriptBlockText contains 'Remove-Item' or ScriptBlockText contains 'rm') and (ScriptBlockText contains 'ConsoleHost_history.txt' or ScriptBlockText contains '(Get-PSReadlineOption).HistorySavePath')))

Looks good, I think, and try to run this query:

s

Checking the Azure Monitor schema for the Event table https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/event and there’s no ScriptBlockText (I guess, the schema contains all values that are common for all Event ID types, however certain Event ID will have additional columns, data, correct?)

Now what I’m wondering, because I believe that for this to work, I would have to have PowerShell Script Block Logging (Win 2012R2 and above) enabled, which I don’t at this point.

Next, I’ve found this https://gist.github.com/captainGeech42/5974b1fce3e269a4d667d94edbc30153
I don’t have any event ids of source type equals to "Microsoft-Windows-PowerShell"

Now, apart from having this set through GPO, which event log should I enable in the config below to have it ingested into Log Analytics ?

2
3

Thanks!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,160 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 6,601 Reputation points MVP
    2022-10-19T17:15:48.743+00:00

    You are correct the translation from Sigma to KQL (or any language) requires two things:

    1. The right data
    2. A understanding of best practise with KQL, the translation is often basic and needs to be refined.

    Two tricks that can help is to fake the data until you have it

    1. See datatable operator : https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatableoperator?pivots=azuremonitor
    2. Also try adding column_ifexists - essentially using another column in the meantime - it won't fix it but can allow you to develop some of the rest of the query. You can also pass in data at that point (see second code block below): https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/columnifexists

    // using another column like "Computer"

    Event  
    | extend ScriptBlockText=column_ifexists("ScriptBlockText",Computer)  
    | where (ScriptBlockText contains 'Clear-History' or ((ScriptBlockText contains 'Remove-Item' or ScriptBlockText contains 'rm')  
      and (ScriptBlockText contains 'ConsoleHost_history.txt' or ScriptBlockText contains '(Get-PSReadlineOption).HistorySavePath')))  
    | limit 10    
    

    or

    // using fake data

    Event  
    | extend ScriptBlockText=column_ifexists("ScriptBlockText","Clear-History")  
    | where (ScriptBlockText contains 'Clear-History' or ((ScriptBlockText contains 'Remove-Item' or ScriptBlockText contains 'rm')  
      and (ScriptBlockText contains 'ConsoleHost_history.txt' or ScriptBlockText contains '(Get-PSReadlineOption).HistorySavePath')))  
    | limit 10    
    

    If this is helpful, please Accept the answer?

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.