www.eshlomo.us Open in urlscan Pro
66.235.200.145  Public Scan

URL: https://www.eshlomo.us/hunting-threats-with-windows-defender-atp-introduction/
Submission: On August 01 via manual from US — Scanned from US

Form analysis 4 forms found in the DOM

GET https://www.eshlomo.us/

<form role="search" method="get" class="search-form" action="https://www.eshlomo.us/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

<form id="commentform" class="comment-form">
  <iframe title="Comment Form"
    src="https://jetpack.wordpress.com/jetpack-comment/?blogid=152079295&amp;postid=4201&amp;comment_registration=0&amp;require_name_email=1&amp;stc_enabled=0&amp;stb_enabled=0&amp;show_avatars=1&amp;avatar_default=mystery&amp;greeting=Leave+a+Reply&amp;jetpack_comments_nonce=ccdab1eb0e&amp;greeting_reply=Leave+a+Reply+to+%25s&amp;color_scheme=transparent&amp;lang=en_US&amp;jetpack_version=11.1.2&amp;show_cookie_consent=10&amp;has_cookie_consent=0&amp;token_key=%3Bnormal%3B&amp;sig=b3f04ad125be0864500748f14196a1bb20e4cd47#parent=https%3A%2F%2Fwww.eshlomo.us%2Fhunting-threats-with-windows-defender-atp-introduction%2F"
    name="jetpack_remote_comment" style="width: 100%; height: 60px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
  </iframe>
  <!--[if !IE]><!-->
  <script>
    document.addEventListener('DOMContentLoaded', function() {
      var commentForms = document.getElementsByClassName('jetpack_remote_comment');
      for (var i = 0; i < commentForms.length; i++) {
        commentForms[i].allowTransparency = true;
        commentForms[i].scrolling = 'no';
      }
    });
  </script>
  <!--<![endif]-->
</form>

GET https://www.eshlomo.us/

<form role="search" method="get" class="search-form" action="https://www.eshlomo.us/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-2">
  <div id="subscribe-text">
    <p>Enter your email address to subscribe to this blog and receive notifications of new posts by email. (only technical content)</p>
  </div>
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-2"> Email Address </label>
    <input type="email" name="email" required="required" value="" id="subscribe-field-blog_subscription-2" placeholder="Email Address">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="source" value="https://www.eshlomo.us/hunting-threats-with-windows-defender-atp-introduction/">
    <input type="hidden" name="sub-type" value="widget">
    <input type="hidden" name="redirect_fragment" value="subscribe-blog-blog_subscription-2">
    <button type="submit" class="wp-block-button__link" name="jetpack_subscriptions_widget"> Subscribe </button>
  </p>
</form>

Text Content

Skip to content

Elli Shlomo



 * Search for:

 * Home
 * About Myself

Elli Shlomo

Security ~ IR ~ Cloud ~ Code


 * Home
 * About Myself

 * Security
 * 2


HUNTING THREATS WITH MICROSOFT DEFENDER ATP (INTRODUCTION)

by Eli Shlomo · /2018



One of the great features (and my favorite one) in Windows Defender ATP  is
Advanced Hunting that allows to proactively hunt and investigate across your
organization’s data.
Advanced Hunting can perform an action from new process creation, file
modification, machine login, network communication, registry update, remediation
actions, and many other event types. Advanced hunting is an integral part of our
investigation experience, so your hunting results, such as machines and files,
can leverage the rich set of features we already provide in Windows Security
Center.
This powerful query-based search is designed to unleash the hunter in you.

The advantage of Advanced Hunting:

 * Powerful query language with IntelliSense – Built on top of a query language
   that gives you the flexibility you need to take hunting to the next level.
 * Query the stored telemetry – The telemetry data is accessible in tables for
   you to query.
 * Links to the portal – Certain query results, such as machine names and file
   names are actually direct links to the portal, consolidating the Advanced
   hunting query experience and the existing portal investigation experience.
 * Query examples – A welcome page provides examples designed to get you started
   and get you familiar with the tables and the query language.



Table of Contents

 * How it Works
   * Operators
   * Tables
   * More information


HOW IT WORKS

The hunting capabilities in Windows Defender ATP involves running queries and
you’re able to query everything in Windows Client, Server and third party.
The query based on query language (QL) with schema, tables, operators with the
following data:


OPERATORS

 * where – Filter a table to the subset of rows that satisfy a predicate.
 * summarize – Produce a table that aggregates the content of the input table.
 * join – Merge the rows of two tables to form a new table by matching values of
   the specified column(s) from each table.
 * count – Return the number of records in the input record set.
 * top – Return the first N records sorted by the specified columns.
 * limit – Return up to the specified number of rows.
 * project – Select the columns to include, rename or drop, and insert new
   computed columns.
 * extend – Create calculated columns and append them to the result set.
 * makeset – Return a dynamic (JSON) array of the set of distinct values that
   Expr takes in the group
 * find – Find rows that match a predicate across a set of tables.


TABLES

AlertEvents
AlertId, EventTime, MachineId, ComputerName, Severity, Category, Title,
ActionType, FileName, SHA1, RemoteUrl, RemoteIP, ReportId

MachineInfo
EventTime, MachineId, ComputerName, ClientVersion, PublicIP, OSArchitecture,
OSPlatform, OSBuild, IsAzureADJoined, LoggedOnUsers, MachineGroup, ReportId,

ProcessCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1,
SHA256, MD5, ProcessId, ProcessCommandLine, ProcessIntegrityLevel,
ProcessTokenElevation, ProcessCreationTime, AccountDomain, AccountName,
AccountSid, InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel,
InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessSHA256,
InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId,
InitiatingProcessCommandLine, InitiatingProcessCreationTime,
InitiatingProcessFolderPath, InitiatingProcessParentId,
InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId

NetworkCommunicationEvents
EventTime, MachineId, ComputerName, ActionType, RemoteIP, RemotePort, RemoteUrl,
LocalIP, LocalPort, LocalIPType, RemoteIPType, InitiatingProcessSHA1,
InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId,
InitiatingProcessCommandLine, InitiatingProcessCreationTime,
InitiatingProcessFolderPath, InitiatingProcessParentFileName,
InitiatingProcessParentId, InitiatingProcessParentCreationTime,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel,
InitiatingProcessTokenElevation, ReportId

FileCreationEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1,
SHA256, MD5, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessAccountSid, InitiatingProcessMD5, InitiatingProcessSHA1,
InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessId,
InitiatingProcessCommandLine, InitiatingProcessCreationTime,
InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation,
InitiatingProcessParentId, InitiatingProcessParentFileName,
InitiatingProcessParentCreationTime, ReportId

RegistryEvents
EventTime, MachineId, ComputerName, ActionType, RegistryKey, RegistryValueType,
RegistryValueName, RegistryValueData, PreviousRegistryValueName,
PreviousRegistryValueData, InitiatingProcessAccountDomain,
InitiatingProcessAccountName, InitiatingProcessAccountSid,
InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName,
InitiatingProcessId, InitiatingProcessCommandLine,
InitiatingProcessCreationTime, InitiatingProcessFolderPath,
InitiatingProcessParentId, InitiatingProcessParentFileName,
InitiatingProcessParentCreationTime, InitiatingProcessIntegrityLevel,
InitiatingProcessTokenElevation, ReportId

LogonEvents
EventTime, MachineId, ComputerName, ActionType, AccountDomain, AccountName,
AccountSid, LogonType, ReportId

ImageLoadEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5,
InitiatingProcessAccountDomain, InitiatingProcessAccountName,
InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel,
InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessMD5,
InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine,
InitiatingProcessCreationTime, InitiatingProcessFolderPath,
InitiatingProcessParentId, InitiatingProcessParentFileName,
InitiatingProcessParentCreationTime, ReportId

MiscEvents
EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5,
AccountDomain, AccountName, AccountSid, RemoteUrl, RemoteComputerName,
ProcessCreationTime, ProcessTokenElevation, LogonId, RegistryKey,
RegistryValueName, RegistryValueData, RemoteIP, RemotePort, LocalIP, LocalPort,
FileOriginUrl, FileOriginIP, AdditionalFields, InitiatingProcessSHA1,
InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessFolderPath,
InitiatingProcessId, InitiatingProcessCommandLine,
InitiatingProcessCreationTime, InitiatingProcessParentId,
InitiatingProcessParentFileName, InitiatingProcessParentCreationTime,
InitiatingProcessMD5, InitiatingProcessAccountDomain,
InitiatingProcessAccountName, InitiatingProcessAccountSid,
InitiatingProcessLogonId, ReportId




MORE INFORMATION

 * Advanced hunting reference in Windows Defender ATP

FacebookTwitterLinkedInWhatsAppTelegramShare




Tags: CyberSecurityWindows Defender ATP

YOU MAY ALSO LIKE...

 * 1
   
   KALI LINUX ON AZURE – INSTALL GUIDE
   
   /2019

   
 * 0
   
   TOP 500 WORST PASSWORDS
   
   /2018

   
 * 0
   
   ENDPOINTS SECURITY BEST PRACTICE FOR REMOTE WORKERS
   
   /2019

   


2 RESPONSES

 * Comments2
 * Pingbacks0

 1. mikearbul says:
    /2018 at 10:05 AM
    
    Wow ……………. THANKS FOR SHARING
    
    Reply
    
 2. zach says:
    /2019 at 6:02 PM
    
    what ActionType in processevents takes as a value?
    
    Reply
    


LEAVE A REPLY CANCEL REPLY



Follow:

 * 
 * 
 * 
 * 
 * 

Search for:


SUBSCRIBE TO BLOG VIA EMAIL

Enter your email address to subscribe to this blog and receive notifications of
new posts by email. (only technical content)

Email Address

Subscribe





TOP POSTS & PAGES

 * Linux on Windows 10 (WSL)
 * Enable Office 365 MFA with PowerShell
 * Learn KQL - Logical Operators
 * Kali Linux on Azure - Install Guide
 * Restricted RDP for Admin (RestrictedAdmin)

Elli Shlomo © 2022. All Rights Reserved.


We use cookies on our website to give you the most relevant experience by
remembering your preferences and repeat visits. By clicking “Accept”, you
consent to the use of ALL the cookies.
Cookie settingsACCEPT
Privacy & Cookies Policy
Close

PRIVACY OVERVIEW

This website uses cookies to improve your experience while you navigate through
the website. Out of these, the cookies that are categorized as necessary are
stored on your browser as they are essential for the working of basic
functionalities of the ...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT



✓
Thanks for sharing!
AddToAny
More…