Friday 8 March 2024

Mastering Threat Detection with Microsoft 365 Defender Advanced Hunting: Queries and Strategies for Proactive Cybersecurity

Microsoft 365 Defender Advanced Hunting is a powerful, query-based threat hunting tool that allows security professionals to proactively search for threats across their organization's digital environment. This capability is part of Microsoft Defender XDR and enables you to inspect events across devices, emails, applications, and identities within your network by leveraging up to 30 days of raw data. Advanced Hunting is designed to help you identify both known and potential threats through unconstrained searching, using the Kusto Query Language (KQL) for crafting queries.

The tool supports two modes: guided and advanced. If you're new to KQL or prefer a more structured approach, the guided mode offers a query builder to assist you. For those more experienced with KQL, the advanced mode allows for direct query crafting from scratch. It's also possible to use the queries developed during hunting to create custom detection rules, which can then automatically monitor for similar threat patterns and respond to them as needed.

Advanced hunting covers data from various sources within the Microsoft ecosystem, including Microsoft Defender for Endpoint, Office 365, Cloud Apps, and Identity, providing a comprehensive view of your organization's security posture. It's crucial to have the appropriate roles and permissions to access this feature, and data freshness is maintained rigorously with event data being available almost immediately and entity data updated every 15 minutes​​.

Several practical examples showcase the flexibility and power of Advanced Hunting:

Identify Devices with a Specific File:

This query checks if devices have files from a known malicious sender, useful for identifying devices affected by a malware distribution campaign.

| where SenderFromAddress =~ ""
| where isnotempty(SHA256)
| join (
    | project FileName, SHA256, DeviceName, DeviceId
) on SHA256

Monitor Specific PowerShell Activities:

This example targets PowerShell processes and searches for suspicious commands that could indicate exploitation attempts.

| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatngProcessCommandLine, FileName, ProcessCommandLine

Logon Events Post-Receiving a Malicious File:

This query investigates logon events occurring within a short timeframe after receiving a malicious file, helping to identify potential breaches.

| where Timestamp > ago(7d)
| where ThreatTypes has "Malware"
| project EmailReceivedTime = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0])
| join (
    | where Timestamp > ago(7d)
    | project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
| where (LogonTime - EmailReceivedTime) between (0min .. 30min)

Activities from Specific Cloud Apps:

A query to monitor activities from cloud apps, like Microsoft SharePoint Online, involving specific users or IP addresses.

| where Application == "Microsoft SharePoint Online"
| take 100

Investigate Cloud App File Uploads:

For tracking file uploads to SharePoint Online, this modified query adapts to the new CloudAppEvents table.

| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"
| where ObjectType == "File" and ObjectName endswith ".xlsx"
| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode

Investigate Defender Folder Access Control

This tracks processes that have been blocked

| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

Each of these queries utilizes the Kusto Query Language (KQL) to interrogate various datasets available through Microsoft 365 Defender, from endpoint activities to cloud application events. They demonstrate how flexible and powerful Advanced Hunting can be when identifying, investigating, and responding to potential security threats across an organization's Microsoft 365 environment​​​​​​​

No comments:

Post a Comment