3/18
Today I am working on some more cybersecurity related material. I am taking on the role of a security analyst by utilizing Kusto Query Language (KQL) and Azure Data Explorer to examine logs and trace attacker activity to piece together an unknown story. In practice, writing KQL queries and running them against data will look like this:
I find a suspicious email. The email contains a link.
The link has a domain. I look up the domain in DNS records.
The domain resolves to an IP. I search for that IP in network logs.
The network logs show someone visited it. I identify who.
That person's machine has new files. I find malware.
As previously stated I am working with Azure Data Explorer but soon I hope to apply these concepts learned to other industry standard programs such as Splunk, Crowdstrike and/or Microsoft Sentinel.
Some of these concepts include (but are not limited to):
Querying and analyzing log data
Identifying suspicious activity
Pivoting across multiple data sources
Investigating potential intrusions
Building investigative reasoning skills
My first step within this learning was first off inspecting my table and identifying the appropriate rows and columns. Next were the various commands, such as take, command, distinct and where.
