With this post, I’m focussing anyone who is keen on knowing more about advanced features of MDE and how to get into that realm of threat hunting, and what are the controls available.
So you have proper licensing enabled, and you have Microsoft Defender for Endpoint on your users’ devices and they are onboarded to Defender. What’s next? The Advanced Hunting method is a must-know tool as it helps you to dive into the issues when there are threats in your devices/ environment. My personal experience is learning KQL is an interesting task and there are a lot of resources on the internet to help you learn the basics. This blog post is all about what I learned and how the same can help your life and learn something new simultaneously.
Table of Contents
- Setting Your Time Zone
- Data Retention Time Period
- Set Email Notifications
- Building your Query
- Sample Queries
- Saving your queries to run at a later time
- Rendering Query Results into Charts
- Use Queries to Create Detection Rules
- Final Thoughts
Setting Your Time Zone
This is an important prerequisite as when you start building and running your queries, timestamping should be in real-time.
Go to Security Portal on https://secuity.mictosoft.com > Settings > Security Center >Set the time zone
Data Retention Time Period
This is another important fact for all things Defender. Max data retention time period is 180 days.
Security Portal on https://secuity.mictosoft.com > Settings > Endpoints > Data Retention (under General section)
Set the maximum of 180 days
Set Email Notifications
This will help you to get the alerts via an email. However with a little bit of work, you can make this bit more interesting by using Graph API/ Logic apps/ Teams notifications.
Go to Settings from the left pane > Microsoft 365 Defender > Email Notifications > Add incident email notification
Set the Notification name.
Set below and set the Alert Severity
Set the recipients and create the notification
Building your Query
With those 2 prereqs completed, we can now move into the threat hunting canvas. As you may already know, KQL (Kusto Query Language) is what runs the show here which can be then rendered to graphical charts if needed and especially create detection rules to stay on top of your response and action side of things. The good thing is because this is built into the portal, you don’t have to connect an Azure Log Analytics Workspace, but if you need to stream the Defender data to Microsoft Sentinal, a log analytics workspace is required.
- Tabs to create multiple queries at the same time
- Query options
- Schema: KQL Tables which you can use to query data from
- Functions: Schema functions
- Queries: Pre-made queries where you can adapt and change accordingly and run
- Detection Rules: Create rules by using the queries to easily get notified of the threats if that’s captured via a query
- Space to construct your query
- Results of the executed query
I will not be going through the steps regarding writing KQL queries as it requires it’s own blog post/s to explain KQL from the start. However, I will be showcasing some easy-to-write queries that you can also run in your environment.
The Custome Time Range option can go only up to 30 days backward. Use TimeGenerated () function
This is a really helpful Glossary type of fly-out menu that shows you all the functions in a table (schema) and what that function does.
And if I go to DeviceEvents schema details I will get below
And click on the function to quick copy/ paste into the query writing area
How to look for PDF files in emails
This can be a frequent request as PDFs can carry malware if you have the right tool (ASR rules) to capture them. I have used the EmailAttachmentInfo table to query data from. TimeGenerated can be changed according to the requirement.
| join kind=inner EmailEvents on SenderFromAddress
| where TimeGenerated > ago(1h)
| where FileType == "pdf"
| project TimeGenerated, SenderFromAddress,Subject,SenderIPv4, RecipientEmailAddress,FileName,AttachmentCount,DeliveryLocation
Out of the many function and query options, I’m looking for Remote Desktop attempts on my devices.
| where ActionType == "RemoteDesktopConnection"
| project Timestamp, DeviceName, ActionType, LocalIP, LocalPort
Smart Screen Warnings
Smart screen warnings are useful when you have Web Protection enabled to understand URLs visited or dig deeper into a threat-related issue.
| where ActionType == "SmartScreenUrlWarning"
| take 10
| project Timestamp,DeviceName,DeviceId, RemoteIP, RemoteUrl,ProcessId
Below query look for Smart Screen URL Warnings, but specifically for URLs that contains the word sportsbet as that a gambling site.
| where ActionType == "SmartScreenUrlWarning"
| where RemoteUrl contains "sportsbet"
| take 10
| project Timestamp,DeviceName,DeviceId, RemoteUrl
Look for Attack Surface Reduction Rules (ASR)
This is an interesting one, I will be using the same type of query for Detection rule later
| Where Timestamp > ago(30d)
| Where ActionType startswith "asr"
| Summarize EventCount=count() by ActionType
Saving your queries to run at a later time
You can easily save the queries you write to use at a later time. Once the query is written or copied from another place, press the Save As button and follow the instructions.
Check the query from below
Also use the Community queries which as been shared by others. Edit it to cater to your requirement. Example has shown below
Rendering Query Results into Charts
Sometimes you may have the requirement to see a graphical representation of the KQL output. When you construct the rule in the proper manner to summarize the output, you can render it to a chart by using render function or use the Chart Type in the UI.
I’ve done a very simple query to identify the alerts by the Severity and rendering it to a Pie Chart.
You can use the | render piechart line or the Chart type option on the UI to render it from the options
Use Queries to Create Detection Rules
You can schedule your KQL queries and make them to detect threats and alert you. My understanding is this is best to get information on non critical alerts because the scheduling starts from every hour. However you can classify the severity of the detection
Below example shows how to create a Detection Rule to detect Edge Smart Screen URL Warning.
DeviceEvents | where ActionType == "SmartScreenUrlWarning"
Click on Create detection rule button
Set below and press Next
Set the impacted entities as below
Set the Actions as below
Select the device scope. All or from the Device Groups
Submit the rule
Now if you go to the Custom Detection rules under Hunting, you will see your created rules
Go to Incidents & Alerts from the left pane and select Alerts. If there are any alerts related to the rules we created earlier, they will show up here.
Below is for a different rule I created previously to detect any RDP Login attempts
This can be received as an email if you have setup your Notifications as explained before.
All in all this is a great in-built tool to dig deeper in to threat hunting. Personally, the more I learned KQL, the more I wanted to use them and experiment the results of it. It is beneficial to pinpoint the threats quickly and close off the incident soon.
There are other ways where you can stream the Defender data (Endpoint/ Identity/ Cloud and etc.) to SIEMs, and specially in this case to Microsoft Sentinel as a centralised solution. More on that coming soon. I hope you have learned something new or sharpened your knowledge with this. Hope to see you in my next post soon.