Microsoft 365 Defender – Advanced Threat Hunting Basics – EMS Route

With this post, I’m focussing anyone who is keen on knowing more about advanced features of MDE and how to get into that realm of threat hunting, and what are the controls available.

So you have proper licensing enabled, and you have Microsoft Defender for Endpoint on your users’ devices and they are onboarded to Defender. What’s next? The Advanced Hunting method is a must-know tool as it helps you to dive into the issues when there are threats in your devices/ environment. My personal experience is learning KQL is an interesting task and there are a lot of resources on the internet to help you learn the basics. This blog post is all about what I learned and how the same can help your life and learn something new simultaneously.

For more info on KQL check below Microsoft guides
Kusto Query Language
KQL Quick Reference
KQL Syntax Reference

KQL Playground – This is a place where you can practice your KQL
https://aka.ms/lademo

Table of Contents

Setting Your Time Zone

This is an important prerequisite as when you start building and running your queries, timestamping should be in real-time.

Go to Security Portal on https://secuity.mictosoft.com > Settings > Security Center >Set the time zone

Data Retention Time Period

This is another important fact for all things Defender. Max data retention time period is 180 days.

Security Portal on https://secuity.mictosoft.com > Settings > Endpoints > Data Retention (under General section)

Set the maximum of 180 days

Set Email Notifications

This will help you to get the alerts via an email. However with a little bit of work, you can make this bit more interesting by using Graph API/ Logic apps/ Teams notifications.

Go to Settings from the left pane > Microsoft 365 Defender > Email Notifications > Add incident email notification

Set the Notification name.

Set below and set the Alert Severity

Set the recipients and create the notification

Building your Query

With those 2 prereqs completed, we can now move into the threat hunting canvas. As you may already know, KQL (Kusto Query Language) is what runs the show here which can be then rendered to graphical charts if needed and especially create detection rules to stay on top of your response and action side of things. The good thing is because this is built into the portal, you don’t have to connect an Azure Log Analytics Workspace, but if you need to stream the Defender data to Microsoft Sentinal, a log analytics workspace is required.

Tabs to create multiple queries at the same time
Query options
1. Schema: KQL Tables which you can use to query data from
2. Functions: Schema functions
3. Queries: Pre-made queries where you can adapt and change accordingly and run
4. Detection Rules: Create rules by using the queries to easily get notified of the threats if that’s captured via a query
Space to construct your query
Results of the executed query

I will not be going through the steps regarding writing KQL queries as it requires it’s own blog post/s to explain KQL from the start. However, I will be showcasing some easy-to-write queries that you can also run in your environment.

The Custome Time Range option can go only up to 30 days backward. Use TimeGenerated () function

Schema Reference

This is a really helpful Glossary type of fly-out menu that shows you all the functions in a table (schema) and what that function does.

And if I go to DeviceEvents schema details I will get below

And click on the function to quick copy/ paste into the query writing area

Sample Queries

How to look for PDF files in emails

This can be a frequent request as PDFs can carry malware if you have the right tool (ASR rules) to capture them. I have used the EmailAttachmentInfo table to query data from. TimeGenerated can be changed according to the requirement.

EmailAttachmentInfo | join kind=inner EmailEvents on SenderFromAddress | where TimeGenerated > ago(1h) | where FileType == "pdf" | project TimeGenerated, SenderFromAddress,Subject,SenderIPv4, RecipientEmailAddress,FileName,AttachmentCount,DeliveryLocation

Device Events

Out of the many function and query options, I’m looking for Remote Desktop attempts on my devices.

DeviceEvents | where ActionType == "RemoteDesktopConnection" | project Timestamp, DeviceName, ActionType, LocalIP, LocalPort

Smart Screen Warnings

Smart screen warnings are useful when you have Web Protection enabled to understand URLs visited or dig deeper into a threat-related issue.

DeviceEvents  | where ActionType == "SmartScreenUrlWarning" | take 10 | project Timestamp,DeviceName,DeviceId, RemoteIP, RemoteUrl,ProcessId

Below query look for Smart Screen URL Warnings, but specifically for URLs that contains the word sportsbet as that a gambling site.

DeviceEvents  | where ActionType == "SmartScreenUrlWarning" | where RemoteUrl contains "sportsbet" | take 10 | project Timestamp,DeviceName,DeviceId, RemoteUrl

Look for Attack Surface Reduction Rules (ASR)

This is an interesting one, I will be using the same type of query for Detection rule later

DeviceEvents | Where Timestamp > ago(30d) | Where ActionType startswith "asr" | Summarize EventCount=count() by ActionType

Saving your queries to run at a later time

You can easily save the queries you write to use at a later time. Once the query is written or copied from another place, press the Save As button and follow the instructions.

Check the query from below

Also use the Community queries which as been shared by others. Edit it to cater to your requirement. Example has shown below

Rendering Query Results into Charts

Sometimes you may have the requirement to see a graphical representation of the KQL output. When you construct the rule in the proper manner to summarize the output, you can render it to a chart by using render function or use the Chart Type in the UI.

I’ve done a very simple query to identify the alerts by the Severity and rendering it to a Pie Chart.

You can use the | render piechart line or the Chart type option on the UI to render it from the options

Use Queries to Create Detection Rules

You can schedule your KQL queries and make them to detect threats and alert you. My understanding is this is best to get information on non critical alerts because the scheduling starts from every hour. However you can classify the severity of the detection

Below example shows how to create a Detection Rule to detect Edge Smart Screen URL Warning.

My query
DeviceEvents  | where ActionType == "SmartScreenUrlWarning"

Click on Create detection rule button

Set below and press Next

Set the impacted entities as below

Set the Actions as below

Select the device scope. All or from the Device Groups

Submit the rule

Now if you go to the Custom Detection rules under Hunting, you will see your created rules

Check Alerts

Go to Incidents & Alerts from the left pane and select Alerts. If there are any alerts related to the rules we created earlier, they will show up here.

Below is for a different rule I created previously to detect any RDP Login attempts

This can be received as an email if you have setup your Notifications as explained before.

Final Thoughts

All in all this is a great in-built tool to dig deeper in to threat hunting. Personally, the more I learned KQL, the more I wanted to use them and experiment the results of it. It is beneficial to pinpoint the threats quickly and close off the incident soon.

There are other ways where you can stream the Defender data (Endpoint/ Identity/ Cloud and etc.) to SIEMs, and specially in this case to Microsoft Sentinel as a centralised solution. More on that coming soon. I hope you have learned something new or sharpened your knowledge with this. Hope to see you in my next post soon.