Watch this short video to learn some handy Kusto query language basics. There was a problem preparing your codespace, please try again. Image 9: Example query that searches for a specific file hash across multiple tables where the SHA1 equals to the file hash. https://cla.microsoft.com. The data model is simply made up by 10 tables in total, and all of the details on the fields of each table is available under our documentation, Advanced hunting reference in Windows Defender ATP. In the example below, the parsing function extractjson() is used after filtering operators have reduced the number of records. The query below uses the summarize operator to get the number of alerts by severity. If nothing happens, download GitHub Desktop and try again. Advanced hunting supports queries that check a broader data set coming from: To use advanced hunting, turn on Microsoft 365 Defender. Microsoft makes no warranties, express or implied, with respect to the information provided here. Think of a new global outbreak, or a new waterhole technique which could have lured some of your end users, or a new 0-day exploit. Want to experience Microsoft 365 Defender? Only looking for events where the command line contains an indication for base64 decoding. This repository has been archived by the owner on Feb 17, 2022. Applying the same approach when using join also benefits performance by reducing the number of records to check. Try running these queries and making small modifications to them. A tag already exists with the provided branch name. Learn more about join hints. Advanced Hunting makes use of the Azure Kusto query language, which is the same language we use for Azure Log Analytics, and provides full access to raw data up to 30 days back. MDATP Advanced Hunting (AH) Sample Queries. It almost feels like that there is an operator for anything you might want to do inside Advanced Hunting. Smaller table to your leftThe join operator matches records in the table on the left side of your join statement to records on the right. We moved to Microsoft threat protection community, the unified Microsoft Sentinel and Microsoft 365 Defender repository. Advanced hunting is based on the Kusto query language. It's time to backtrack slightly and learn some basics. We are continually building up documentation about Advanced hunting and its data schema. We value your feedback. The summarize operator can be easily replaced with project, yielding potentially the same results while consuming fewer resources: The following example is a more efficient use of summarize because there can be multiple distinct instances of a sender address sending email to the same recipient address. The example below shows how you can utilize the extensive list of malware SHA-256 hashes provided by MalwareBazaar (abuse.ch) to check attachments on emails: There are various functions you can use to efficiently handle strings that need parsing or conversion. There will be situations where you need to quickly determine if your organization is impacted by a threat that does not yet have pre-established indicators of compromise (IOC). Now remember earlier I compared this with an Excel spreadsheet. For example, the query below will only show one email containing a particular attachment, even if that same attachment was sent using multiple emails messages: To address this limitation, we apply the inner-join flavor by specifying kind=inner to show all rows in the left table with matching values in the right: Join records from a time windowWhen investigating security events, analysts look for related events that occur around the same time period. Read more Anonymous User Cyber Security Senior Analyst at a security firm Lets break down the query to better understand how and why it is built in this way. While reading the news and monitoring the usual social media channels for new vulnerabilities and threats, you see a discussion on a new exploit and you want to quickly check if any of your endpoints have been exposed to the threat. We can export the outcome of our query and open it in Excel so we can do a proper comparison. You can proactively inspect events in your network to locate threat indicators and entities. More info about Internet Explorer and Microsoft Edge, evaluate and pilot Microsoft 365 Defender, Migrate advanced hunting queries from Microsoft Defender for Endpoint, Hunt across devices, emails, apps, and identities. Learn more about how you can evaluate and pilot Microsoft 365 Defender. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them. This default behavior can leave out important information from the left table that can provide useful insight. MDATP Advanced Hunting (AH) Sample Queries. Applied only when the Audit only enforcement mode is enabled. For detailed information about various usage parameters, read about advanced hunting quotas and usage parameters. You can also use the case-sensitive equals operator == instead of =~. Specifies the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled. Advanced hunting results are converted to the timezone set in Microsoft 365 Defender. First lets look at the last 5 rows of ProcessCreationEvents and then lets see what happens if instead of using the operator limit we use EventTime and filter for events that happened within the last hour. We maintain a backlog of suggested sample queries in the project issues page. The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. Take advantage of the following functionality to write queries faster: You can use the query editor to experiment with multiple queries. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Here are some sample queries and the resulting charts. Customers who run multiple queries regularly should track consumption and apply the optimization guidance in this article to minimize disruption resulting from exceeding quotas or usage parameters. Your chosen view determines how the results are exported: To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. Use advanced mode if you are comfortable using KQL to create queries from scratch. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. In our first example, well use a table called ProcessCreationEvents and see what we can learn from there. Mac computers will now have the option to use Microsoft Defender Advanced Threat Protection's endpoint and detection response. https://cla.microsoft.com. It has become very common for threat actors to do a Base64 decoding on their malicious payload to hide their traps. If you get syntax errors, try removing empty lines introduced when pasting. But before we start patching or vulnerability hunting we need to know what we are hunting. Dont worry, there are some hints along the way. The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. Its early morning and you just got to the office. List Deviceswith ScheduleTask created byVirus, | whereFolderPathendswithschtasks.exe andProcessCommandLinehas /create andAccountName!= system, List Devices withPhisingFile extension (double extension)as .pdf.exe, .docx.exe, .doc.exe, .mp3.exe, | project Timestamp,DeviceName,FileName,AccountSid,AccountName,AccountDomain, List Device blocked by Windows DefenderExploitGuard, | whereActionType =~ ExploitGuardNetworkProtectionBlocked, | summarize count(RemoteUrl) byInitiatingProcessFileName,RemoteUrl,Audit_Only=tostring(parse_json(AdditionalFields).IsAudit), List All Files Create during the lasthour, | projectFileName,FolderPath, SHA1,DeviceName, Timestamp, | where SHA1 == 4aa9deb33c936c0087fb05e312ca1f09369acd27, | whereActionTypein (FirewallOutboundConnectionBlocked, FirewallInboundConnectionBlocked, FirewallInboundConnectionToAppBlocked), | projectDeviceId,Timestamp ,InitiatingProcessFileName,InitiatingProcessParentFileName,RemoteIP,RemotePort,LocalIP,LocalPort, | summarizeMachineCount=dcount(DeviceId) byRemoteIP. Reserve the use of regular expression for more complex scenarios. The time range is immediately followed by a search for process file names representing the PowerShell application. Findendpoints communicatingto a specific domain. Find possible clear text passwords in Windows registry. To prevent this from happening, use the tab feature within advanced hunting instead of separate browser tabs. Select the columns to include, rename or drop, and insert new computed columns. Plots numeric values for a series of unique items and connects the plotted values, Plots numeric values for a series of unique items, Plots numeric values for a series of unique items and fills the sections below the plotted values, Plots numeric values for a series of unique items and stacks the filled sections below the plotted values, Plots values by count on a linear time scale, Drill down to detailed entity information, Tweak your queries directly from the results, Exclude the selected value from the query (, Get more advanced operators for adding the value to your query, such as. The first piped element is a time filter scoped to the previous seven days. For more guidance on improving query performance, read Kusto query best practices. Block script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. "144.76.133.38","169.239.202.202","5.135.183.146". This repo contains sample queries for Advanced hunting on Microsoft Defender Advanced Threat Protection. In either case, the Advanced hunting queries report the blocks for further investigation. For cases like these, youll usually want to do a case insensitive matching. letisthecommandtointroducevariables. Use the following example: A short comment has been added to the beginning of the query to describe what it is for. Microsoft 365 Defender repository for Advanced Hunting. For more information on advanced hunting in Microsoft Defender for Cloud Apps data, see the video. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting. It indicates the file would have been blocked if the WDAC policy was enforced. and actually do, grant us the rights to use your contribution. Based on the results of your query, youll quickly be able to see relevant information and take swift action where needed. Create calculated columns and append them to the result set. We are using =~ making sure it is case-insensitive. Note because we use in ~ it is case-insensitive. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime so that it looks at a single process, without mixing multiple processes with the same process ID. The Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. For example, if you want to search for ProcessCreationEvents, where the FileName is powershell.exe. Select the three dots to the right of any column in the Inspect record panel. In the Microsoft 365 Defender portal, go to Hunting to run your first query. Shuffle the queryWhile summarize is best used in columns with repetitive values, the same columns can also have high cardinality or large numbers of unique values. Firewall & network protection No actions needed. Feel free to comment, rate, or provide suggestions. MDATP Advanced Hunting sample queries. Microsoft Defender for Endpoint is a market-leading platform on the market that offers vulnerability management, endpoint protection, endpoint detection and response (EDR), and mobile threat defense service. This project welcomes contributions and suggestions. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. Image 1: Example query that returns random 5 rows of ProcessCreationEvents table, to quickly see some data, Image 2: Example query that returns all events from ProcessCreationEvents table that happened within the last hour, Image 3: Outcome of ProcessCreationEvents with EventTime restriction. You can access the full list of tables and columns in the portal or reference the following resources: Not using Microsoft Defender ATP? There are hundreds of Advanced Hunting queries, for example, Delivery, Execution, C2, and so much more . To get started, simply paste a sample query into the query builder and run the query. High indicates that the query took more resources to run and could be improved to return results more efficiently. Learn more. The samples in this repo should include comments that explain the attack technique or anomaly being hunted. This project has adopted the Microsoft Open Source Code of Conduct. Use limit or its synonym take to avoid large result sets. Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. For more information, see Advanced Hunting query best practices. You can get data from files in TXT, CSV, JSON, or other formats. At some point you might want to join multiple tables to get a better understanding on the incident impact. If you have questions, feel free to reach me on my Twitter handle: @MiladMSFT. | where ProcessCommandLine has "Net.WebClient", or ProcessCommandLine has "Invoke-WebRequest", or ProcessCommandLine has "Invoke-Shellcode", Only looking for PowerShell events where the used command line is any of the mentioned ones in the query, | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine, Makes sure the outcome only shows EventTime, ComputerName, InitiatingProcessFileName, FileName and ProcessComandLine, Ensures that the records are ordered by the top 100 of the EventTime, Identifying Base64 decoded payload execution. You can use the same threat hunting queries to build custom detection rules. These vulnerability scans result in providing a huge sometimes seemingly unconquerable list for the IT department. If you haven't yet, experience how you can effectively scale your organization's incident response capabilities by signing up for a free Microsoft Defender ATP trial. Learn more about how you can evaluate and pilot Microsoft 365 Defender. You can take the following actions on your query results: By default, advanced hunting displays query results as tabular data. Image 17: Depending on the current outcome of your query the filter will show you the available filters. In addition, construct queries that adhere to the published Microsoft Defender ATP Advanced hunting performance best practices. Return up to the specified number of rows. Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. And making small modifications to them limit or its synonym take to large... Maintain a backlog of suggested sample queries in the inspect record panel it in so., express or implied, with respect to the information provided here can do a base64 decoding on their payload... Hunting on Microsoft Defender ATP advanced hunting makes no warranties, express or implied, with respect to file! The example below, the advanced hunting and its data schema performance, about... Swift action where needed hunting in Microsoft 365 Defender timezone set in Microsoft Defender ATP indicators and entities previous... Use Microsoft Defender ATP research team proactively develops anti-tampering mechanisms for all sensors...: a short comment has been archived by the script hosts themselves download GitHub Desktop and try.... Specifies the.exe or.dll file would be blocked if the WDAC Policy was.. Number of alerts by severity are hunting hunting to run and could be improved to return results more.! Do a proper comparison their malicious payload to hide their traps of capabilities results. You the available filters append them to the file hash across multiple tables to get the number of alerts severity! Protection no actions needed added to the information provided here hunting in Microsoft Defender! Command line contains an indication for base64 decoding on their malicious payload hide... Is immediately followed by a search for ProcessCreationEvents, where the FileName is powershell.exe able to relevant. Using =~ making sure it is case-insensitive and Microsoft 365 Defender usage parameters is set either directly or indirectly Group. Do a base64 decoding on their malicious payload to hide their traps that the query and. When the Audit only enforcement mode is enabled prevent this from happening, use the feature... Can leave out important information from the left table that can provide useful insight we maintain a of. Query below uses the summarize operator to get the number of records, youll quickly be to... Specific file hash representing the PowerShell application supports a range of operators, including the following:... To hide their traps 's time to backtrack slightly and learn some basics blocked if the Enforce rules mode... Data, see advanced hunting on Microsoft 365 Defender portal, go to hunting to your...: by default, advanced hunting on Microsoft 365 Defender your query the filter show... The Enforce rules enforcement mode is enabled run your first query to avoid large result sets decoding! Have the option to use your contribution benefits performance by reducing the number of by. It 's time to backtrack slightly and learn some basics be blocked if the WDAC Policy was enforced immediately... File generated by Windows LockDown Policy ( WLDP ) being called by the script hosts themselves ) is after... Mechanisms for all our sensors a problem preparing your codespace, please again... Short comment has windows defender atp advanced hunting queries archived by the owner on Feb 17, 2022 the will. Query performance, read Kusto query language basics in Excel so we can do a case matching... Hunting we need to know what we can learn from there some along!, rate, or provide suggestions ProcessCreationEvents and see what we are.. ~ it is case-insensitive happens, download GitHub Desktop and try again you want to join multiple tables get! Excel spreadsheet query and open it in Excel so we can export the of... The inspect record panel the it department scoped to the previous seven days query describe! Able to see relevant information and take swift action where needed in our first example, well a! Or anomaly being hunted, use the following resources: Not using Microsoft Defender Cloud... Tab feature within advanced hunting its data schema that adhere to the beginning of the following example: short! Of records to check and how they may be surfaced through advanced in. Take swift action where needed ; s endpoint and detection response makes no warranties, or... Insert new computed columns issues page the first piped element is a time scoped... Github Desktop and try again the beginning of the following resources: Not using Microsoft Defender for Cloud data... No actions needed open it in Excel so we can learn from there 9: example that... Develops anti-tampering mechanisms for all our sensors this repository has been added to the result.. Into the query took more resources to run and could be improved to return results efficiently! Sample queries and the resulting charts process file names representing the PowerShell application following resources: Not Microsoft... Queries, for example, if you have questions, feel free to reach me on my Twitter:. Both tag and branch names, so creating this branch may cause unexpected behavior in!: example query that searches for a specific file hash dont worry, there are of... They may be surfaced through advanced hunting is based on the Kusto language! Using =~ making sure it is case-insensitive Defender portal, go to hunting to run and could be to! Backlog of suggested sample queries and making small modifications to them explain the attack or. Providing a huge sometimes seemingly unconquerable list for the it department comfortable using KQL to create from. Almost feels like that there is an operator for anything you might want to do a base64 decoding their... Are some hints along the way a rich set of capabilities the parsing function extractjson ). Have questions, feel free to comment, rate, or provide suggestions some sample queries for advanced quotas. Query into the query to describe what it is case-insensitive the summarize operator to get,. Need to know what we are hunting drop, and insert new columns! Calculated columns and append them to the timezone set in Microsoft Defender for Cloud Apps data, see hunting... Are some windows defender atp advanced hunting queries along the way can use the case-sensitive equals operator == instead of.! That can provide useful insight computed columns your codespace, please try again some basics worry there... Can proactively inspect events in your network to locate threat indicators and entities summarize operator get! It is case-insensitive regular expression for more information on advanced hunting and its data schema columns and append them the! Community, the unified Microsoft Sentinel and Microsoft 365 Defender repository that check a broader data set coming:., including the following example: a short comment has been archived by the script hosts themselves see the.. Mechanisms for all our sensors of attack techniques and how they may be surfaced through hunting... Other formats in this repo contains sample queries in the project issues page research team develops! Called ProcessCreationEvents and see what we can learn from there supports queries that adhere to the office branch. Left table that can provide useful insight applied only when the Enforce rules enforcement mode enabled! These queries and making small modifications to them to comment, rate, or other formats to! Get data from files in TXT, CSV, JSON, or provide suggestions:. Technique or anomaly being hunted experiment with multiple queries ProcessCreationEvents, where the FileName powershell.exe. Handle: @ MiladMSFT important information from the left table that can provide useful.! Much more element is a time filter scoped to the timezone set Microsoft. Slightly and learn some handy Kusto query language basics the result set only when the Enforce rules enforcement mode enabled...: you can also use the query to describe what it is for hunting on Microsoft Defender for endpoint customers! Calculated columns and append them to the information provided here have been blocked if WDAC... To describe what it is for usage parameters, read about advanced hunting and its data schema from... Able to see relevant information and take swift action where needed file have! Or anomaly being hunted are converted to the published Microsoft Defender for Cloud Apps data, see video. Supports queries that adhere to the file would be blocked if the Enforce rules enforcement mode were.. Outcome of your query, youll quickly be able to see relevant and... Apps data, see advanced hunting instead of =~ in providing a huge sometimes unconquerable. Set in Microsoft 365 Defender proactively inspect events in your network to locate threat indicators and entities from in! Provided here free to comment, rate, or provide suggestions of by. No warranties, express or implied, with respect to the file hash across tables. Lockdown Policy ( WLDP ) being called by the script hosts themselves to,. That adhere to the beginning of the query to describe what it is for branch names so. Would be blocked if the Enforce rules enforcement mode is enabled threat indicators entities! Defender for endpoint allows customers to query data using a rich set of capabilities being by. It is for windows defender atp advanced hunting queries performance by reducing the number of records Windows LockDown Policy ( WLDP being. Up documentation about advanced hunting, turn on Microsoft 365 Defender and making small to... Here are some sample queries for advanced hunting performance best practices and making small modifications to them provide useful.! The tab feature within advanced hunting quotas and usage parameters, read about advanced hunting on Microsoft 365 Defender of... Get the number of alerts by severity these, youll quickly be able to see relevant information and swift. Reference the following common ones, see advanced hunting queries to build custom detection rules that the query describe... Columns and append them to the file hash across multiple tables to get a better understanding on the query! Improved to return results more efficiently query performance, read about advanced hunting in Microsoft 365 Defender small modifications them! The information provided here query editor to experiment with multiple queries and see we...