title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hunt for threats across devices, emails, apps, and identities with advanced hunting |
Study common hunting scenarios and sample queries that cover devices, emails, apps, and identities. |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
how-to |
04/22/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across:
- Devices managed by Microsoft Defender for Endpoint
- Emails processed by Microsoft 365
- Cloud app activities, authentication events, and domain controller activities tracked by Microsoft Defender for Cloud Apps and Microsoft Defender for Identity
With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices.
Here are general techniques and sample queries based on various hunting scenarios that can help you explore how you might construct queries when hunting for such sophisticated threats.
Use these queries to learn how you can quickly get information about user accounts, devices, and files.
When constructing queries across tables that cover devices and emails, you will likely need to obtain user account names from sender or recipient email addresses. You can generally do this for either recipient or sender address using the local-host from the email address.
In the snippet below, we use the tostring() Kusto function to extract the local-host right before the @
from recipient email addresses in the column RecipientEmailAddress
.
//Query snippet showing how to extract the account name from an email address
AccountName = tostring(split(RecipientEmailAddress, "@")[0])
The query below shows how this snippet can be used:
EmailEvents
| where Timestamp > ago(7d)
| project RecipientEmailAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
You can get account names and other account information by merging or joining the IdentityInfo table. The query below obtains the list of phishing and malware detections from the EmailEvents table and then joins that information with the IdentityInfo
table to get detailed information about each recipient.
EmailEvents
| where Timestamp > ago(7d)
//Get email processing events where the messages were identified as either phishing or malware
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
//Merge email events with identity info to get recipient details
| join (IdentityInfo | distinct AccountUpn, AccountDisplayName, JobTitle,
Department, City, Country) on $left.RecipientEmailAddress == $right.AccountUpn
//Show important message and recipient details
| project Timestamp, NetworkMessageId, Subject, ThreatTypes,
SenderFromAddress, RecipientEmailAddress, AccountDisplayName, JobTitle,
Department, City, Country
Watch this short video to learn how you can use Kusto Query Language to join tables.
The advanced hunting schema provides extensive device information in various tables. For example, the DeviceInfo table provides comprehensive device information based on event data aggregated regularly. This query uses the DeviceInfo
table to check if a potentially compromised user (<account-name>
) has logged on to any devices and then lists the alerts that have been triggered on those devices.
Tip
This query uses kind=inner
to specify an inner-join, which prevents deduplication of left side values for DeviceId
.
DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
Use the following query to get information on file related events.
DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(1d)
) on DeviceId
| take 10
Use the following query to get information on network related events.
DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1d)
) on DeviceId
| take 10
Use the following query to get the version of the agent running on a device.
DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1d)
) on DeviceId
| take 10
Use the following example query to see all devices running macOS with a version older than Catalina.
DeviceInfo
| where Timestamp > ago(1d)
| where OSPlatform == "macOS" and OSVersion !contains "10.15" and OSVersion !contains "11."
| summarize by DeviceId
| join kind=inner (
DeviceInfo
| where Timestamp > ago(1d)
) on DeviceId
| take 10
Use the following query to get status of a device. In the following example, the query checks to see if the device is onboarded.
DeviceInfo
| where Timestamp > ago(1d)
| where OnboardingStatus != "Onboarded"
| summarize by DeviceId
| join kind=inner (
DeviceInfo
| where Timestamp > ago(1d)
) on DeviceId
| take 10
Zero-hour auto purge (ZAP) addresses malicious emails after they have been received. If ZAP fails, malicious code might eventually run on the device and leave accounts compromised. This query checks for logon activity made by the recipients of emails that were not successfully addressed by ZAP.
EmailPostDeliveryEvents
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfully
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
This query first identifies all credential access alerts in the AlertInfo
table. It then merges or joins the AlertEvidence
table, which it parses for the names of the targeted accounts and filters for domain-joined accounts only. Finally, it checks the IdentityLogonEvents
table to get all logon activities by the domain-joined targeted accounts.
AlertInfo
| where Timestamp > ago(30d)
//Get all credential access alerts
| where Category == "CredentialAccess"
//Get more info from AlertEvidence table to get the SID of the target accounts
| join AlertEvidence on AlertId
| extend IsJoined=(parse_json(AdditionalFields).Account.IsDomainJoined)
| extend TargetAccountSid=tostring(parse_json(AdditionalFields).Account.Sid)
//Filter for domain-joined accounts only
| where IsJoined has "true"
//Merge with IdentityLogonEvents to get all logon attempts by the potentially compromised target accounts
| join kind=inner IdentityLogonEvents on $left.TargetAccountSid == $right.AccountSid
//Show only pertinent info, such as account name, the app or service, protocol, the accessed device, and type of logon
| project AccountDisplayName, TargetAccountSid, Application, Protocol, DeviceName, LogonType
Assuming you know of an email address sending malicious files ([email protected]
), you can run this query to determine if files from this sender exist on your devices. You can use this query, for example, to identify devices affected by a malware distribution campaign.
EmailAttachmentInfo
| where SenderFromAddress =~ "[email protected]"
//Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
This query finds the 10 latest logons performed by email recipients within 30 minutes after they received known malicious emails. You can use this query to check whether the accounts of the email recipients have been compromised.
//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10
Malicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious sender ([email protected]
), you can use this query to list and review PowerShell activities that occurred within 30 minutes after an email was received from the sender.
//Define new table for emails from specific sender
let EmailsFromBadSender=EmailEvents
| where SenderFromAddress =~ "[email protected]"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
//Merge emails from sender with process-related events on devices
EmailsFromBadSender
| join (
DeviceProcessEvents
//Look for PowerShell activity
| where FileName =~ "powershell.exe"
//Add line below to check only events initiated by Outlook
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
//Check only PowerShell activities within 30 minutes of receipt of an email
| where (TimeProc - TimeEmail) between (0min.. 30min)