learn.microsoft.com Open in urlscan Pro
2600:141b:e800:138d::3544  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content


This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Table of contents Exit focus mode

Read in English Save
Table of contents Read in English Save Edit Print

Twitter LinkedIn Facebook Email
Table of contents


HUNT FOR THREATS ACROSS DEVICES, EMAILS, APPS, AND IDENTITIES

 * Article
 * 03/08/2023
 * 10 contributors

Feedback



IN THIS ARTICLE

Note

Want to experience Microsoft 365 Defender? Learn more about how you can evaluate
and pilot Microsoft 365 Defender.

Applies to:

 * Microsoft 365 Defender

Advanced hunting in Microsoft 365 Defender allows you to proactively hunt for
threats across:

 * Devices managed by Microsoft Defender for Endpoint
 * Emails processed by Microsoft 365
 * Cloud app activities, authentication events, and domain controller activities
   tracked by Microsoft Defender for Cloud Apps and Microsoft Defender for
   Identity

With this level of visibility, you can quickly hunt for threats that traverse
sections of your network, including sophisticated intrusions that arrive on
email or the web, elevate local privileges, acquire privileged domain
credentials, and move laterally to across your devices.

Here are general techniques and sample queries based on various hunting
scenarios that can help you explore how you might construct queries when hunting
for such sophisticated threats.


GET ENTITY INFO

Use these queries to learn how you can quickly get information about user
accounts, devices, and files.


OBTAIN USER ACCOUNTS FROM EMAIL ADDRESSES

When constructing queries across tables that cover devices and emails, you will
likely need to obtain user account names from sender or recipient email
addresses. You can generally do this for either recipient or sender address
using the local-host from the email address.

In the snippet below, we use the tostring() Kusto function to extract the
local-host right before the @ from recipient email addresses in the column
RecipientEmailAddress.

//Query snippet showing how to extract the account name from an email address
AccountName = tostring(split(RecipientEmailAddress, "@")[0])


The query below shows how this snippet can be used:

EmailEvents
| where Timestamp > ago(7d)
| project RecipientEmailAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);



MERGE THE IDENTITYINFO TABLE

You can get account names and other account information by merging or joining
the IdentityInfo table. The query below obtains the list of phishing and malware
detections from the EmailEvents table and then joins that information with the
IdentityInfo table to get detailed information about each recipient.

EmailEvents
| where Timestamp > ago(7d)
//Get email processing events where the messages were identified as either phishing or malware
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
//Merge email events with identity info to get recipient details
| join (IdentityInfo | distinct AccountUpn, AccountDisplayName, JobTitle,
Department, City, Country) on $left.RecipientEmailAddress == $right.AccountUpn
//Show important message and recipient details
| project Timestamp, NetworkMessageId, Subject, ThreatTypes,
SenderFromAddress, RecipientEmailAddress, AccountDisplayName, JobTitle,
Department, City, Country


Watch this short video to learn how you can use Kusto Query Language to join
tables.


GET DEVICE INFORMATION

The advanced hunting schema provides extensive device information in various
tables. For example, the DeviceInfo table provides comprehensive device
information based on event data aggregated regularly. This query uses the
DeviceInfo table to check if a potentially compromised user (<account-name>) has
logged on to any devices and then lists the alerts that have been triggered on
those devices.

Tip

This query uses kind=inner to specify an inner-join, which prevents
deduplication of left side values for DeviceId.

DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category



GET FILE EVENT INFORMATION

Use the following query to get information on file related events.

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10



GET NETWORK EVENT INFORMATION

Use the following query to get information on network related events.

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10



GET DEVICE AGENT VERSION INFORMATION

Use the following query to get the version of the agent running on a device.

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10



EXAMPLE QUERY FOR MACOS DEVICES

Use the following example query to see all devices running macOS with a version
older than Catalina.

DeviceInfo
| where Timestamp > ago(1d)
| where OSPlatform == "macOS" and  OSVersion !contains "10.15" and OSVersion !contains "11."
| summarize by DeviceId
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(1d)
) on DeviceId
| take 10



GET DEVICE STATUS INFO

Use the following query to get status of a device. In the following example, the
query checks to see if the device is onboarded.

DeviceInfo
| where Timestamp > ago(1d)
| where OnboardingStatus != "Onboarded"
| summarize by DeviceId
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(1d)
) on DeviceId
| take 10



HUNTING SCENARIOS


LIST LOGON ACTIVITIES OF USERS THAT RECEIVED EMAILS THAT WERE NOT ZAPPED
SUCCESSFULLY

Zero-hour auto purge (ZAP) addresses malicious emails after they have been
received. If ZAP fails, malicious code might eventually run on the device and
leave accounts compromised. This query checks for logon activity made by the
recipients of emails that were not successfully addressed by ZAP.

EmailPostDeliveryEvents
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfully
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType



GET LOGON ATTEMPTS BY DOMAIN ACCOUNTS TARGETED BY CREDENTIAL THEFT

This query first identifies all credential access alerts in the AlertInfo table.
It then merges or joins the AlertEvidence table, which it parses for the names
of the targeted accounts and filters for domain-joined accounts only. Finally,
it checks the IdentityLogonEvents table to get all logon activities by the
domain-joined targeted accounts.

AlertInfo
| where Timestamp > ago(30d)
//Get all credential access alerts
| where Category == "CredentialAccess"
//Get more info from AlertEvidence table to get the SID of the target accounts
| join AlertEvidence on AlertId
| extend IsJoined=(parse_json(AdditionalFields).Account.IsDomainJoined)
| extend TargetAccountSid=tostring(parse_json(AdditionalFields).Account.Sid)
//Filter for domain-joined accounts only
| where IsJoined has "true"
//Merge with IdentityLogonEvents to get all logon attempts by the potentially compromised target accounts
| join kind=inner IdentityLogonEvents on $left.TargetAccountSid == $right.AccountSid
//Show only pertinent info, such as account name, the app or service, protocol, the accessed device, and type of logon
| project AccountDisplayName, TargetAccountSid, Application, Protocol, DeviceName, LogonType



CHECK IF FILES FROM A KNOWN MALICIOUS SENDER ARE ON YOUR DEVICES

Assuming you know of an email address sending malicious files
(MaliciousSender@example.com), you can run this query to determine if files from
this sender exist on your devices. You can use this query, for example, to
identify devices affected by a malware distribution campaign.

EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
//Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId,  NetworkMessageId, SenderFromAddress, RecipientEmailAddress



REVIEW LOGON ATTEMPTS AFTER RECEIPT OF MALICIOUS EMAILS

This query finds the 10 latest logons performed by email recipients within 30
minutes after they received known malicious emails. You can use this query to
check whether the accounts of the email recipients have been compromised.

//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10



REVIEW POWERSHELL ACTIVITIES AFTER RECEIPT OF EMAILS FROM KNOWN MALICIOUS SENDER

Malicious emails often contain documents and other specially crafted attachments
that run PowerShell commands to deliver additional payloads. If you are aware of
emails coming from a known malicious sender (MaliciousSender@example.com), you
can use this query to list and review PowerShell activities that occurred within
30 minutes after an email was received from the sender.

//Define new table for emails from specific sender
let EmailsFromBadSender=EmailEvents
| where SenderFromAddress =~ "MaliciousSender@example.com"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
//Merge emails from sender with process-related events on devices
EmailsFromBadSender
| join (
DeviceProcessEvents
//Look for PowerShell activity
| where FileName =~ "powershell.exe"
//Add line below to check only events initiated by Outlook
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
//Check only PowerShell activities within 30 minutes of receipt of an email
| where (TimeProc - TimeEmail) between (0min.. 30min)



RELATED TOPICS

 * Advanced hunting overview
 * Learn the query language
 * Work with query results
 * Use shared queries
 * Understand the schema
 * Apply query best practices





FEEDBACK

Submit and view feedback for

This product This page
View all page feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES





Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023


ADDITIONAL RESOURCES






IN THIS ARTICLE



Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2023