Use Advanced Hunting in the Defender portal for custom threat analysis.

  • This topic is empty.
  • Post
    • December 12, 2024 at 10:01 pm
    Weekend Wiki
    Keymaster
    Advanced Hunting in the Microsoft 365 Defender Portal allows you to query data and analyze threats in real-time across email, endpoints, identities, and cloud applications. It uses KQL (Kusto Query Language), enabling deep insights into activities within your organization.

    Here’s how you can use Advanced Hunting for custom threat analysis:

    1. Accessing Advanced Hunting

    1. Go to the Microsoft 365 Defender Portal:
      https://security.microsoft.com.
    2. Navigate to Threat Management > Advanced Hunting.
    3. Open the hunting interface where you can run custom queries.

    2. Query Structure and Key Tables

    Familiarize yourself with the primary data tables used in Advanced Hunting:

    Table Name Purpose
    EmailEvents Tracks email-related activities, including sender, recipient, and delivery status.
    EmailUrlInfo Contains data about URLs in emails, including Safe Links protections and time-of-click analysis.
    FileEvents Tracks file activities across devices, such as file downloads, detections, and attachments.
    DeviceFileEvents Tracks file activities at the endpoint level, such as execution and creation.
    IdentityLogonEvents Monitors sign-in activities and potential identity compromises.
    ThreatIntelligenceIndicator Provides threat intelligence indicators, including IPs, URLs, or hashes flagged as malicious.

    3. Common Queries for Threat Analysis

    Example 1: Detect Phishing Emails with Malicious Links

    EmailUrlInfo
| where UrlThreatTypes contains "Phish" or UrlThreatTypes contains "Malware"
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Url, UrlClickVerdict
| order by Timestamp desc
    • Purpose: Identifies emails with malicious URLs categorized as phishing or malware.
    • Key Fields: Timestamp, sender, recipient, malicious URL.

    Example 2: Detect Emails Containing Malware Attachments

    EmailEvents
| where ThreatTypes contains "Malware"
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, DeliveryAction, ThreatTypes
| order by Timestamp desc
    • Purpose: Lists emails blocked or flagged due to malware.
    • Key Fields: Subject line, delivery action (e.g., quarantined), threat type.

    Example 3: Investigate Suspicious Login Activity

    IdentityLogonEvents
| where AccountDisplayName contains "admin" or isnotempty(RiskLevelDuringSignIn)
| project Timestamp, AccountDisplayName, IpAddress, Location, RiskLevelDuringSignIn, AuthenticationDetails
| order by Timestamp desc
    • Purpose: Tracks admin accounts or logins flagged with elevated risk.
    • Key Fields: IP address, location, and sign-in risk level.

    Example 4: Track Files Downloaded from Malicious URLs

    FileEvents
| where InitiatingProcessFileName == "browser.exe" and FileOriginUrl contains "http"
| project Timestamp, FileName, FilePath, FileOriginUrl, InitiatingProcessAccountName, DeviceName
| order by Timestamp desc
    • Purpose: Identifies suspicious file downloads initiated through a browser.
    • Key Fields: File name, download URL, and the user who downloaded it.

    Example 5: Quarantined Emails Analysis

    EmailEvents
| where DeliveryAction == "Quarantined"
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryLocation
| order by Timestamp desc
    • Purpose: Lists emails quarantined by security filters.
    • Key Fields: Sender, recipient, and quarantine timestamp.

    4. Creating Custom Alerts from Queries

    1. After running a query, click “Create Detection Rule” in the query results.
    2. Configure the rule:
      • Name: E.g., “Phishing Alert”.
      • Severity Level: Informational, Low, Medium, or High.
      • Trigger Frequency: Choose the frequency to monitor and alert.
    3. Save the rule, and it will notify your security team when the query matches new data.

    5. Exporting Results

    • You can export query results as CSV for sharing or further analysis.
    • Use the Power BI connector to visualize hunting results in dashboards.

    6. Tips for Advanced Hunting

    • Leverage Threat Intelligence: Use threat indicators (ThreatIntelligenceIndicator table) to compare your data against known malicious IPs, URLs, or file hashes.
    • Time Filters: Always use where Timestamp > ago(7d) or similar to narrow the scope to recent activities.
    • Pivoting Data: Drill down by combining queries across tables, e.g., linking EmailEvents and EmailUrlInfo to track URLs and their threats.

    Would you like help creating a specific query or automating reports? email us at [email protected]

  • You must be logged in to reply to this topic.
en_USEnglish
arArabic en_USEnglish