www.eshlomo.us
Open in
urlscan Pro
66.235.200.145
Public Scan
URL:
https://www.eshlomo.us/hunting-threats-with-windows-defender-atp-introduction/
Submission: On August 01 via manual from US — Scanned from US
Submission: On August 01 via manual from US — Scanned from US
Form analysis
4 forms found in the DOMGET https://www.eshlomo.us/
<form role="search" method="get" class="search-form" action="https://www.eshlomo.us/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
<form id="commentform" class="comment-form">
<iframe title="Comment Form"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=152079295&postid=4201&comment_registration=0&require_name_email=1&stc_enabled=0&stb_enabled=0&show_avatars=1&avatar_default=mystery&greeting=Leave+a+Reply&jetpack_comments_nonce=ccdab1eb0e&greeting_reply=Leave+a+Reply+to+%25s&color_scheme=transparent&lang=en_US&jetpack_version=11.1.2&show_cookie_consent=10&has_cookie_consent=0&token_key=%3Bnormal%3B&sig=b3f04ad125be0864500748f14196a1bb20e4cd47#parent=https%3A%2F%2Fwww.eshlomo.us%2Fhunting-threats-with-windows-defender-atp-introduction%2F"
name="jetpack_remote_comment" style="width: 100%; height: 60px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
</iframe>
<!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = true;
commentForms[i].scrolling = 'no';
}
});
</script>
<!--<![endif]-->
</form>
GET https://www.eshlomo.us/
<form role="search" method="get" class="search-form" action="https://www.eshlomo.us/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
POST #
<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-2">
<div id="subscribe-text">
<p>Enter your email address to subscribe to this blog and receive notifications of new posts by email. (only technical content)</p>
</div>
<p id="subscribe-email">
<label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-2"> Email Address </label>
<input type="email" name="email" required="required" value="" id="subscribe-field-blog_subscription-2" placeholder="Email Address">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="source" value="https://www.eshlomo.us/hunting-threats-with-windows-defender-atp-introduction/">
<input type="hidden" name="sub-type" value="widget">
<input type="hidden" name="redirect_fragment" value="subscribe-blog-blog_subscription-2">
<button type="submit" class="wp-block-button__link" name="jetpack_subscriptions_widget"> Subscribe </button>
</p>
</form>
Text Content
Skip to content Elli Shlomo * Search for: * Home * About Myself Elli Shlomo Security ~ IR ~ Cloud ~ Code * Home * About Myself * Security * 2 HUNTING THREATS WITH MICROSOFT DEFENDER ATP (INTRODUCTION) by Eli Shlomo · /2018 One of the great features (and my favorite one) in Windows Defender ATP is Advanced Hunting that allows to proactively hunt and investigate across your organization’s data. Advanced Hunting can perform an action from new process creation, file modification, machine login, network communication, registry update, remediation actions, and many other event types. Advanced hunting is an integral part of our investigation experience, so your hunting results, such as machines and files, can leverage the rich set of features we already provide in Windows Security Center. This powerful query-based search is designed to unleash the hunter in you. The advantage of Advanced Hunting: * Powerful query language with IntelliSense – Built on top of a query language that gives you the flexibility you need to take hunting to the next level. * Query the stored telemetry – The telemetry data is accessible in tables for you to query. * Links to the portal – Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience. * Query examples – A welcome page provides examples designed to get you started and get you familiar with the tables and the query language. Table of Contents * How it Works * Operators * Tables * More information HOW IT WORKS The hunting capabilities in Windows Defender ATP involves running queries and you’re able to query everything in Windows Client, Server and third party. The query based on query language (QL) with schema, tables, operators with the following data: OPERATORS * where – Filter a table to the subset of rows that satisfy a predicate. * summarize – Produce a table that aggregates the content of the input table. * join – Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. * count – Return the number of records in the input record set. * top – Return the first N records sorted by the specified columns. * limit – Return up to the specified number of rows. * project – Select the columns to include, rename or drop, and insert new computed columns. * extend – Create calculated columns and append them to the result set. * makeset – Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group * find – Find rows that match a predicate across a set of tables. TABLES AlertEvents AlertId, EventTime, MachineId, ComputerName, Severity, Category, Title, ActionType, FileName, SHA1, RemoteUrl, RemoteIP, ReportId MachineInfo EventTime, MachineId, ComputerName, ClientVersion, PublicIP, OSArchitecture, OSPlatform, OSBuild, IsAzureADJoined, LoggedOnUsers, MachineGroup, ReportId, ProcessCreationEvents EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, ProcessId, ProcessCommandLine, ProcessIntegrityLevel, ProcessTokenElevation, ProcessCreationTime, AccountDomain, AccountName, AccountSid, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId NetworkCommunicationEvents EventTime, MachineId, ComputerName, ActionType, RemoteIP, RemotePort, RemoteUrl, LocalIP, LocalPort, LocalIPType, RemoteIPType, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessParentCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId FileCreationEvents EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, SHA256, MD5, FileOriginUrl, FileOriginReferrerUrl, FileOriginIP, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessMD5, InitiatingProcessSHA1, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId RegistryEvents EventTime, MachineId, ComputerName, ActionType, RegistryKey, RegistryValueType, RegistryValueName, RegistryValueData, PreviousRegistryValueName, PreviousRegistryValueData, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, ReportId LogonEvents EventTime, MachineId, ComputerName, ActionType, AccountDomain, AccountName, AccountSid, LogonType, ReportId ImageLoadEvents EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessIntegrityLevel, InitiatingProcessTokenElevation, InitiatingProcessSHA1, InitiatingProcessMD5, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessFolderPath, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, ReportId MiscEvents EventTime, MachineId, ComputerName, ActionType, FileName, FolderPath, SHA1, MD5, AccountDomain, AccountName, AccountSid, RemoteUrl, RemoteComputerName, ProcessCreationTime, ProcessTokenElevation, LogonId, RegistryKey, RegistryValueName, RegistryValueData, RemoteIP, RemotePort, LocalIP, LocalPort, FileOriginUrl, FileOriginIP, AdditionalFields, InitiatingProcessSHA1, InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessParentId, InitiatingProcessParentFileName, InitiatingProcessParentCreationTime, InitiatingProcessMD5, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessLogonId, ReportId MORE INFORMATION * Advanced hunting reference in Windows Defender ATP FacebookTwitterLinkedInWhatsAppTelegramShare Tags: CyberSecurityWindows Defender ATP YOU MAY ALSO LIKE... * 1 KALI LINUX ON AZURE – INSTALL GUIDE /2019 * 0 TOP 500 WORST PASSWORDS /2018 * 0 ENDPOINTS SECURITY BEST PRACTICE FOR REMOTE WORKERS /2019 2 RESPONSES * Comments2 * Pingbacks0 1. mikearbul says: /2018 at 10:05 AM Wow ……………. THANKS FOR SHARING Reply 2. zach says: /2019 at 6:02 PM what ActionType in processevents takes as a value? Reply LEAVE A REPLY CANCEL REPLY Follow: * * * * * Search for: SUBSCRIBE TO BLOG VIA EMAIL Enter your email address to subscribe to this blog and receive notifications of new posts by email. (only technical content) Email Address Subscribe TOP POSTS & PAGES * Linux on Windows 10 (WSL) * Enable Office 365 MFA with PowerShell * Learn KQL - Logical Operators * Kali Linux on Azure - Install Guide * Restricted RDP for Admin (RestrictedAdmin) Elli Shlomo © 2022. All Rights Reserved. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Cookie settingsACCEPT Privacy & Cookies Policy Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the ... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT ✓ Thanks for sharing! AddToAny More…