Add hunting query: Potential Rootkit Network Activity via Firewall/EDR telemetry delta

[YounesA343]

Summary
This PR adds a highly resilient, compute-optimized analytic rule targeting advanced adversaries operating in Ring-0 (kernel space) that blind endpoint telemetry to exfiltrate data or communicate with C2 infrastructure.

Adversaries increasingly rely on Bring Your Own Vulnerable Driver (BYOVD) techniques to achieve kernel-level execution. A primary objective of this access is to unlink Windows Filtering Platform (WFP) callouts or inject raw frames directly into NDIS. This effectively blinds EDR sensors (like Microsoft Defender for Endpoint) to outbound network telemetry, allowing malware to beacon while the host otherwise appears completely healthy.

This query relies on the paradox created by this evasion: it compares "Network Truth" (out-of-band physical/virtual firewall appliance logs via ASimNetworkSessionLogs) against "Host Truth" (EDR telemetry via DeviceNetworkEvents). By shifting the detection to the network boundary, the endpoint-level ETW/WFP patch is rendered irrelevant.

Compute Optimizations Included:

• Pre-filtering (activeMdeNodes): Before executing the expensive anti-join, the query identifies IPs actively reporting to MDE. This filters out IoT, BYOD, and unmanaged devices from the massive Firewall dataset, preventing O(N*M) compute explosions and false positives.
• Data Stratification: Instead of using the massive DeviceNetworkEvents table to resolve Hostnames and Domains, the query leverages the lightweight DeviceNetworkInfo state table. It unpacks the JSON array to grab the exact DHCP/Hostname mapping with arg_max, saving massive cluster compute.
• Left-Side Join Rule Compliance: The firewall dataset is heavily aggregated via summarize and explicitly time-bounded before acting as the left table in the leftanti join against the distinct MDE connection pairs.

Triage Readiness:
The query output is highly engineered for Tier 1 SOC analysts. It utilizes alertDetailsOverride to inject the compromised host and destination IP directly into the incident title, uses customDetails to pin exfiltrated byte counts to the overview blade, and strictly casts schema types to ensure entityMappings trigger the Sentinel Investigation Graph without errors.

Change(s):

• Added PotentialRootkitTrafficMissingFromMDE.yaml to the Hunting Queries/Microsoft 365 Defender/ Defense Evasion directory.
• Includes Entity Mappings for Host (HostName, DnsDomain) and IP (InternalIP, DestinationIP).
• Includes Custom Details and Alert Details Override for dynamic incident generation.

Reason for Change(s):

• Advanced malware and rootkits (e.g., using BYOVD) can successfully blind user-mode and kernel-mode EDR network sensors, creating a blind spot for exfiltration.
• This query establishes a highly resilient detection mechanic by analyzing the delta between perimeter appliances and endpoint sensors.
• It provides SOCs with a template that is safely optimized for high-volume enterprise environments without timing out the Kusto engine.

Version Updated:

• N/A (This is a new hunting query template, version set to 1.0.0).

Testing Completed:

• Yes. Queries were authored against the ASimNetworkSessionLogs, DeviceNetworkEvents, and DeviceNetworkInfo schemas.
• Ensure the use of explicit string casting (tostring()) for entityMappings strictly follows the V3 entity guidelines.

Checked that the validations are passing and have addressed any issues that are present:

• Yes. Ran the .script/tests/DetectionTemplateSchemaValidation/dotnet test local validation to ensure YAML structure, metadata (Tactics/Techniques), and KQL syntax are perfectly compliant with the repo's guidelines. Validated for non-ASCII characters.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new Microsoft Sentinel hunting query template intended to detect potential kernel-level EDR network telemetry bypass by comparing perimeter “network truth” (ASimNetworkSessionLogs) vs MDE “host truth” (DeviceNetworkEvents/DeviceNetworkInfo).

Changes:

• Introduces a new hunting query YAML with MITRE mappings, data connectors, query logic, and entity mappings.
• Implements a left-anti join delta approach (firewall sessions present, MDE sessions absent) with pre-filtering to reduce compute.
• Adds alert customization fields (custom details / title+description override) alongside the hunting query.

[v-maheshbh]

Hi @YounesA343
Kindly review the above comments and address them as needed.

Thanks!

[YounesA343]

Hi @v-maheshbh

Thanks for the syntax feedback, I've updated the PR to use an explicit extend prior to the mv-expand to ensure it parses safely! Note that we couldn't expand the column directly as suggested, because the IPAddresses column in DeviceNetworkInfo is natively typed as a string (JSON array) rather than dynamic, so todynamic() is strictly required to unpack the array.

Updated and validated!