The tool supports two modes: guided and advanced. If you're new to KQL or prefer a more structured approach, the guided mode offers a query builder to assist you. For those more experienced with KQL, the advanced mode allows for direct query crafting from scratch. It's also possible to use the queries developed during hunting to create custom detection rules, which can then automatically monitor for similar threat patterns and respond to them as needed.
Advanced hunting covers data from various sources within the Microsoft ecosystem, including Microsoft Defender for Endpoint, Office 365, Cloud Apps, and Identity, providing a comprehensive view of your organization's security posture. It's crucial to have the appropriate roles and permissions to access this feature, and data freshness is maintained rigorously with event data being available almost immediately and entity data updated every 15 minutes.
Several practical examples showcase the flexibility and power of Advanced Hunting:
Identify Devices with a Specific File:
This query checks if devices have files from a known malicious sender, useful for identifying devices affected by a malware distribution campaign.EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
Monitor Specific PowerShell Activities:
This example targets PowerShell processes and searches for suspicious commands that could indicate exploitation attempts.DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatngProcessCommandLine, FileName, ProcessCommandLine
Logon Events Post-Receiving a Malicious File:
This query investigates logon events occurring within a short timeframe after receiving a malicious file, helping to identify potential breaches.EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Malware"
| project EmailReceivedTime = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
DeviceLogonEvents
| where Timestamp > ago(7d)
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - EmailReceivedTime) between (0min .. 30min)
Activities from Specific Cloud Apps:
A query to monitor activities from cloud apps, like Microsoft SharePoint Online, involving specific users or IP addresses.CloudAppEvents
| where Application == "Microsoft SharePoint Online"
| take 100
Investigate Cloud App File Uploads:
For tracking file uploads to SharePoint Online, this modified query adapts to the new CloudAppEvents table.CloudAppEvents
| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where ObjectType == "File" and ObjectName endswith ".xlsx"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode
Investigate Defender Folder Access Control
Each of these queries utilizes the Kusto Query Language (KQL) to interrogate various datasets available through Microsoft 365 Defender, from endpoint activities to cloud application events. They demonstrate how flexible and powerful Advanced Hunting can be when identifying, investigating, and responding to potential security threats across an organization's Microsoft 365 environment
No comments:
Post a Comment