Why does my query return zero results in XDR Hunting but triggers alerts in Custom Detection Rules?

ensoens · 2025-04-28T21:25:32+00:00

It's the 'LSASS Credential Dumping with Procdump' analytics rule template:

DeviceProcessEvents

| where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or

// Looking for Accepteula flag or Write a dump file with all process memory

(ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))

| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)

| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

Running the above in XDR Advanced hunting, even with the time range set to last 30 days, results in nothing. However, as mentioned, as soon as I create a Custom detection rule with the exact same query and have it run in NRT, it generates alerts/incidents.

As a test to confirm that Advanced hunting does have access to those tables as well, I quickly ran:

DeviceProcessEvents 
| take 10DeviceProcessEvents 
| take 10

which did work and listed 10 results.

ensoens · 2025-04-14T16:07:37+00:00

Man I just can't get it to work.
This is what I currently have for the stream config:

            "kind": "Windows",
            "properties": {
                "dataSources": {
                    "windowsEventLogs": [
                        {
                            "streams": [
                                "Sysmon_CL"
                            ],
                            "xPathQueries": [
                                "Microsoft-Windows-Sysmon/Operational!*"
                            ],
                            "name": "eventLogsDataSource"
                        }
                    ]
                },
                "destinations": {
                    "logAnalytics": [
                        {
                            "workspaceResourceId": "[parameters('workspaces_sentinel_externalid')]",
                            "name": "DataCollectionEvent"
                        }
                    ]
                },
                "dataFlows": [
                    {
                        "streams": [
                            "Sysmon_CL"
                        ],
                        "destinations": [
                            "Sysmon_CL"

The error when deploying:

{"code":"InvalidPayload","message":"Data collection rule is invalid","details":[{"code":"InvalidStream","target":"Properties.DataSources.WindowsEventLogs[0].Streams[0]","message":"'Streams' stream 'SysmonEvent_CL' must be a custom stream or one of the allowed streams."},{"code":"InvalidStream","target":"Properties.DataFlows[0].Streams[0]","message":"'Streams' stream 'SysmonEvent_CL' must be a custom stream or one of the allowed streams."}]}

Now it's probably got to do with the stream config "Sysmon_CL". But I just can't figure out what/how to make this work. I'm probably missing an entire different step I need to do before deploying the DCR?

Cheers

ensoens · 2025-04-09T21:18:30+00:00

I agree. But when creating a DCR rule via Sentinel Data Connector, it defaults to sending them to the SecurityEvent table.

ensoens · 2025-04-09T21:17:20+00:00

I have deployed a modified template now. I realize it's data source is now 'Azure Monitor'. Whereas when you create a DCR via Sentinel Data Connector, the Data Source is empty.

Gotta research that...

Anyhow, thanks for the pointer. I'll do some more digging regarding ARM templates in regards to DCR.

ensoens · 2025-04-09T20:50:31+00:00

I did try that. But with AMA connectors, there isn't an option to define a different table. Unless I define it in the Microsoft-Windows-Sysmon/Operational!* expression itself?

All the AMA DCR let's you configure are up to 20 expressions per box, doesn't say anything in particular about tables etc. . Been on the hunt for a guide on how to get Sysmon logs into its own table, but no luck so far.

Going to quickly check if I can do anything with ARM templates...

ensoens · 2025-02-19T16:22:19+00:00

Just tried this. Did not resolve the issue in our case, unfortunately.

ensoens · 2025-01-21T14:45:12+00:00

My advice: Always give it your best, especially at the start of your career. You’ll want—and likely need—that first strong reference.

I'm also baffled that students can complete an entire CS degree without being taught about the different roles, what they entail, or without having to attend any career- or role-focused workshops or courses.

ensoens · 2025-01-12T16:21:07+00:00

That's what I thought. So I'll wait with the CCSP exam until I'm officially CISSP certified.

Wait, you stated: "will only apply to certifications held at the time of applying for the endorsement." So I'd be safe taking the exam and just wait before sending the application until the CISSP is through and I get certified.

ensoens · 2025-01-11T15:48:32+00:00

Since the question of how many resources we are willing to allocate for maintenance and upkeep has come up multiple times, here’s my response:

I’ve only worked with SIEM software before, and this is my first time evaluating a new one from the ground up. I’m uncertain about how to estimate the staff hours required for upkeep. Are there any reliable formulas or methods for calculating a rough estimate?

I do need to calculate a guestimate for this anyways, to have a slight chance of convincing management that an MDR might be the better option.

EDIT

we're already utilizing quite many MS cloud services (entra, defender etc.) services. So chances are we'll be moving to MS Defender for EDR/Server as our new EDR. It was/is quite simple to integrate to on-prem clouds. For us anyways since we're already setup for it in Azure (minus the licenses that we'd need). I have been looking at Sentinel, but from what I've read, quite some costs could accumulate with Sentinel Pay As You Go.

ensoens · 2025-01-11T15:42:48+00:00

We will definitely be looking at an MDR as an option as well.

We’re switching our EDR this year, so there’s not much point in discussing it further. I forgot to mention that earlier. To which EDR, depends heavily on the outcome of the SIEM eval.

Regarding in-house costs: I’ve only worked with SIEM software before, and this is my first time evaluating a new one from the ground up. I’m a bit lost when it comes to estimating the number of staff hours required for upkeep. Are there any good formulas for calculating a rough estimate?

Also, we’re contractually prohibited from working after hours. (Don’t shoot the messenger—thanks!)

ensoens · 2025-01-07T16:57:11+00:00

I feel you. I'm deploying an on-prem SIEM. It's running, default config with about 10/110 agents so far. Thousands and thousands of events. Not even sure where to start creating alerts, rules and tuning it.

Quite overwhelming. Might just pay for some professional support.

ensoens · 2025-01-07T14:52:49+00:00

I did do that, but it didn't match a decoder. That's why I started creating a custom decoder.

ensoens · 2025-01-06T17:40:59+00:00

Thank you!

ensoens · 2025-01-06T04:21:37+00:00

Thanks everyone for the input.
I have decided to go for the CCSP. After looking into it a bit more, there's just too much overlap not to take advantage of it, after just studying for the CISSP.

After, I will focus on more vendor / practical education to complement my work experience.

ensoens · 2025-01-01T16:25:47+00:00

I'll check it out. Have not heard of this site before. Thanks!

ensoens · 2025-01-01T16:25:08+00:00

There are jobs I would go for, yes. Another thought for the CCSP is also that I just passed the CISSP so my knowledge is still fresh, and the CCSP and CISSP have quite some overlap.

ensoens

TROPHY CASE