CQURE Hacks #80: Detecting DDoS Attacks in Real Time with KQL & Azure Data Explorer

DDoS (Distributed Denial of Service) attacks remain one of the most common and disruptive cyber threats today. Instead of focusing on theory, this video walks you through realistic network data and shows how to identify attack patterns using powerful, real-time analytics.

What you’ll learn:

1. How to detect SYN flood attacks using connection timeouts and source IP patterns

2. How to identify volumetric (bandwidth) attacks through traffic spikes

3. How to uncover distributed attack behavior across multiple IPs and ports

4. How to build a comprehensive detection query combining multiple indicators

5. How to analyze geographic anomalies in attack traffic

Key takeaways:

1. DDoS detection is about recognizing patterns, not single events

2. Effective monitoring requires multiple analytical perspectives

3. KQL enables fast, scalable analysis across large datasets

4. Detection thresholds must be tailored to your environment

Best practices covered:

1. Baselining normal traffic

2. Creating alert rules in Azure

3. Enriching logs with threat intelligence

4. Automating responses with Azure services

5. Continuously tuning detection queries

Want to go deeper?

If you’re looking to build real-world threat hunting skills and take your cybersecurity expertise to the next level, check out the “Become a Hunter” module from CQURE Academy (CMAP 2026 – Module 6). This course expands on techniques like the ones shown here and helps you develop a structured, hands-on approach to detecting and investigating threats in modern environments:
👉 https://cqureacademy.com/cyber-security-training/cmap-2026-module-6-become-a-hunter/

Whether you’re a security analyst, cloud engineer, or data professional, this video will give you practical techniques to improve your visibility into network threats.

Take these queries, adapt them to your environment, and start uncovering insights in your own data.

TRANSCRIPT

Good morning/afternoon everyone! Today, I’m excited to take you on a practical journey into the world of cybersecurity analytics. We’ll be exploring how to detect DDoS attack symptoms using Kusto Query Language (KQL).

For those unfamiliar, DDoS – or Distributed Denial of Service – attacks remain one of the most prevalent and disruptive cyber threats facing organizations today. These attacks overwhelm your network resources by flooding them with malicious traffic from multiple sources, effectively denying service to legitimate users.

But here’s the good news: with the right tools and queries, we can detect these attacks early and respond quickly. Azure Data Explorer, combined with KQL, gives us powerful capabilities to analyze network traffic patterns and identify anomalies that signal potential DDoS attacks.

Today, I’ll walk you through a realistic dataset of network events containing various DDoS symptoms. We’ll use KQL queries to uncover these patterns, and by the end of this session, you’ll have practical skills to implement similar monitoring in your own environments.

Synflood

“This query targets SYN flood attacks – one of the most common DDoS techniques. In a SYN flood, attackers send numerous TCP connection requests but never complete the handshake, leaving connections half-open and exhausting server resources.

Notice we’re filtering for ‘Timeout’ connection status – these are the failed or incomplete connections. We’re then summarizing by 5-second intervals and destination port.

The dcount function gives us the distinct count of source IPs. In a true DDoS, you’ll see many different IPs contributing to the timeouts.

We filter for intervals with more than 3 timeouts and sort descending.”

“Look at this pattern! We’re seeing clusters of timeouts on port 80 (HTTP) with multiple distinct IPs contributing. The 5-second windows with 5-6 timeouts from 5-6 different IPs is a classic SYN flood signature. Notice how these appear in bursts – this is the attack wave pattern.”

Volumetric

“Now we’re looking at volumetric attacks – when attackers try to consume all available bandwidth by sending massive amounts of data.

This query sums all bytes transferred (both sent and received) in 5-second windows, grouped by protocol. The threshold of 500,000 bytes (about 0.5 MB) in 5 seconds is our anomaly marker – normal traffic rarely reaches this level.

This type of query helps identify bandwidth saturation attacks where the goal is simply to flood the pipe.”

we see over 1.9 million bytes of TCP traffic. That’s nearly 2 MB in just 5 seconds, which is extremely high for a single server.

Notice this is all TCP traffic, and if we investigate further, we’d find these are the large 65,500-byte packets from Amsterdam. This is a classic example of a volumetric attack – the attackers aren’t trying to exploit vulnerabilities, just consume bandwidth.”

Multi

“This is perhaps our most important DDoS detection query. It identifies the core characteristic of a distributed attack: many different sources targeting the same destination port simultaneously.

We’re counting distinct source IPs per destination port in 5-second windows. When we see 4,5,6 different IPs all hitting the same port in a short window, that’s the ‘distributed’ part of DDoS.

This query would catch both the SYN flood on port 80 and the volumetric attack on port 443.”

“These results are telling a clear story. Look at port 80 – in multiple 5-second windows, we see 5-6 different attackers sending requests. That’s the SYN flood we identified earlier.

But also notice port 443 – in the 09:23:50 window, we have 5 distinct IPs all targeting HTTPS. These are the Amsterdam IPs with their large packets. Two different attack types, both caught by the same pattern: multiple sources, single target, concentrated time window.”

Comprehensive

“Now we’re getting sophisticated. This query combines multiple detection methods into a single comprehensive view.

The extend operator with a case statement creates a new column called ‘AttackIndicators’ that categorizes each event based on suspicious patterns:

Small packets (<=64 bytes) with timeout status suggest SYN flood

Extremely high bytes sent (>100,000) indicate bandwidth attacks

Unknown user agents with GET/POST requests point to botnets

We then filter out normal traffic and summarize by these attack indicators.”

“This is beautiful – we can now see the entire attack timeline at a glance. The SYN flood indicators cluster around 09:23:46-09:23:52, then the high bandwidth usage from Amsterdam appears at 09:23:50, followed by more SYN flood activity.

Notice how the bot activity indicator catches many of the suspicious requests with unknown user agents. This query essentially gives us a real-time attack dashboard.”

Geographic

Our final query looks at geographic patterns. In normal traffic, you expect a diverse, steady distribution of requests from various countries. During a DDoS attack, you might see sudden spikes from specific regions.

We’re counting requests by country in 15-second windows. When a single country suddenly produces a burst of traffic, it’s worth investigating – it could indicate a regional botnet activation.”

“Look at the pattern emerging. Russia shows multiple spikes throughout the timeline. China and India also have concentrated bursts. But notice how the Netherlands appears only during the volumetric attack window – 5 requests from the Netherlands in a 15-second period, all during the high-bandwidth attack.

This geographic lens helps us identify attack sources and potentially implement regional blocking if needed.”

Outro

“So what have we learned today? Let me share the key takeaways:

First, DDoS detection isn’t about finding a single ‘smoking gun’ – it’s about recognizing patterns. The queries we’ve explored look for different pieces of the puzzle: request frequency, connection status, bandwidth usage, port diversity, source distribution, and geographic anomalies.

Second, effective detection requires multiple perspectives. No single query catches everything. By combining these approaches, we build a comprehensive monitoring system.

Third, KQL in Azure Data Explorer gives us powerful, real-time analytics capabilities. These queries run in seconds against millions of records, enabling rapid detection and response.

Fourth, context matters. The thresholds we used (5 requests, 3 ports, 500,000 bytes) are examples. In your environment, you’ll need to baseline normal traffic and adjust these thresholds accordingly.”

“As you implement these queries in your own environments, keep these best practices in mind:

Start with baselining: Run these queries during normal operations to understand your typical traffic patterns before setting alert thresholds.

Create alert rules: Convert these queries into Azure Data Explorer continuous exports or connect them to Azure Monitor alerts for real-time notification.

Combine with other data: Enrich your network logs with threat intelligence feeds to identify known malicious IPs.

Automate responses: Consider integrating with Azure Logic Apps or Azure Functions to automatically trigger mitigations when attacks are detected.

Document and tune: Keep records of false positives and refine your queries over time. DDoS techniques evolve, so your detection should too.”

“Thank you all for your attention today. We’ve covered a lot of ground – from understanding DDoS attack patterns to writing sophisticated KQL queries that detect them in real-time.

Remember, in cybersecurity, visibility is power. The queries we’ve explored today give you that visibility into your network traffic. They transform raw log data into actionable intelligence.

I encourage you to take these queries, adapt them to your environment, and start exploring your own network data. You’ll be amazed at what you can discover.

Want to know more?