ATP advanced threat hunting query KQL

Ross Welton 1 Reputation point
2021-06-15T15:54:30.427+00:00

Hi all

im trying to run a KQL using ATP to check a reg key state.
here is what i have:
//Registry events
DeviceRegistryEvents
| where Timestamp > ago(15d)
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "ZWS_State"
| where RegistryKey has @"SOFTWAREZscalerApp*"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp

inside the reg key ZWS_State it will be either OFF or TUNNEL_FORWARDING

for some reason its returning nothing any help would be grateful

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,141 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
    2021-06-16T04:37:19.453+00:00

    @Ross Welton Thanks for reaching out. I dont have a Zscaler setup , so not sure how exactly it shows up in the RegistryKey table.
    I just did a quick test with your registryKey parameter and Kusto query you used.

    For example, if following is the entry in my ATP :

    106038-image.png

    I was able to get the particular RegistryKey with following :

    DeviceRegistryEvents
    | where RegistryKey contains "AArsvc_"

    And obviously the other parts like timestamp and actionType should be added to narrow down the search result, my lab environment does not have much data.
    What I want you to try is this part | where RegistryKey contains "AArsvc_"

    So you can try something like

    DeviceRegistryEvents
    | where Timestamp > ago(15d)
    | where ActionType == "RegistryValueSet"
    | where RegistryValueName == "ZWS_State"
    | where RegistryKey contains "SOFTWAREZscalerApp"
    | project Timestamp, DeviceName, RegistryKey
    | top 100 by Timestamp

    Let me know if it helps, If it does not, share a screenshot of the entry you are expecting to find from KQL query and we can build something for you.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


  2. Ross Welton 1 Reputation point
    2021-06-16T09:44:00.187+00:00

    using this bellow i was able to obtain some results but from wrong registry area.
    //Registry events
    DeviceRegistryEvents
    | where RegistryKey contains "Zscaler"
    | project Timestamp, DeviceName, RegistryKey, RegistryValueName
    | top 100 by Timestamp

    I'm after
    Computer\HKEY_CURRENT_USER\SOFTWARE\Zscaler\App

    and value
    ZWS_State


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.