Updating all MDO hunting queries both under Defender XDR soltion nd under HUnting queries section to meet with formatting requiremnts. Adding few new queries as well.

This commit is contained in:
damozes1 2024-09-12 17:02:11 +02:00
Родитель ccfc4bd314
Коммит 9f730fb5ba
172 изменённых файлов: 1345 добавлений и 362 удалений

Просмотреть файл

@ -2,12 +2,17 @@ id: 518e6938-10ef-4165-af19-82f1287141bc
name: ATP policy status check
description: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
description-detailed: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where Application == "Microsoft Exchange Online"
@ -19,3 +24,4 @@ query: |
| extend packed = pack(Name, Value)
| summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
| evaluate bag_unpack(PackedInfo)
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
name: JNLP-File-Attachment
description: |
JNLP file extensions are an uncommon file type often used to deliver malware.
description-detailed: |
JNLP file extensions are an uncommon file type often used to deliver malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where FileName endswith ".jnlp"
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05
name: Safe Attachments detections
description: |
This query provides insights on the detections done by Safe Attachment detections
description-detailed: |
This query provides insights on the detections done by Safe Attachment detections.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
@ -15,3 +20,4 @@ query: |
| where detection has "File detonation reputation" or detection has "File detonation"
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
name: Authentication failures by time and authentication type
description: |
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
description-detailed: |
This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (30d)
@ -15,3 +20,4 @@ query: |
| evaluate bag_unpack(AR)
| where DMARC == "fail"
| summarize count() by bin(Timestamp, 1d)
version: 1.0.0

Просмотреть файл

@ -1,16 +1,22 @@
id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
name: Spoof attempts with auth failure
description: |
this query helps in checking for spoofing attempts on the domain with Authentication failures
This query helps in checking for spoofing attempts on the domain with Authentication failures
description-detailed: |
This query helps in checking for spoofing attempts on the domain with Authentication failures.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (1d) and DetectionMethods contains "spoof"
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames
| evaluate bag_unpack(AR)
| where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
version: 1.0.0

Просмотреть файл

@ -1,13 +1,18 @@
id: ba1a91ad-1f99-4386-b191-06a76ef213f8
name: Audit Email Preview-Download action
description: |
This query helps report on who Previewed/Downloaded email messages using Email entitiy page in MDO
This query helps report on who Previewed/Downloaded email messages using the Email entitiy page in Defender for Office 365
description-detailed: |
This query helps report on who Previewed/Downloaded email messages using the Email entitiy page in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege escalation
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
CloudAppEvents
| project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData)
@ -20,4 +25,5 @@ query: |
| extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
| summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
| extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
| project-away RowNumber
| project-away RowNumber
version: 1.0.0

Просмотреть файл

@ -1,14 +1,20 @@
id: bc2d8214-afb6-4876-b210-25b69325b9b2
name: Hunt for TABL changes
description: |
This query helps hunting for Tenant allow/block list (TABL) changes in MDO
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
description-detailed: |
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Defense evasion
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType contains "TenantAllowBlockListItems"
| order by Timestamp desc
| order by Timestamp desc
version: 1.0.0

Просмотреть файл

@ -1,15 +1,20 @@
id: 712ffdd8-ddce-4372-85dd-063029b418cf
name: Local time to UTC time conversion
description: |
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
description-detailed: |
This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
| where DeliveryAction == "Delivered"
| where LatestDeliveryLocation == "Quarantine"
version: 1.0.0

Просмотреть файл

@ -1,7 +1,10 @@
id: deb4b2c6-c10e-4044-8cf4-84243e40db73
name: MDO daily detection summary report
description: |
This query helps report daily on total # of emails, total # of emails detected as Malware, Phish, Spam, Bulk, total number of user/admin submissions, total # of ZAP events, total # of AIR investigations and their result
This query helps report daily on total number of emails, total numboer of emails detected aby Defender for Office 365
description-detailed: |
This query helps report daily on total number of emails, total numboer of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -10,7 +13,9 @@ requiredDataConnectors:
- EmailEvents
- EmailPostDeliveryEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let QueryTime = 30d;
let Reports = CloudAppEvents
@ -57,4 +62,5 @@ query: |
| join kind=fullouter ThreatByAutomation on Date_value
| sort by Date_value asc
| project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
version: 1.0.0

Просмотреть файл

@ -2,15 +2,20 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
name: Mail item accessed
description: |
This query helps reviewing emails accessed by end users using cloud app events data
description-detailed: |
This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| where Record == 50
| take 10
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: 63c799bc-7567-4e4d-97be-e143fcfaa333
name: Malicious email senders
description: |
This query helps reviewing emails from sender with atleast one email in quarantine
This query helps hunting for emails from a sender with atleast one email in quarantine
description-detailed: |
This query helps hunting for emails from a sender with atleast one email detected with a threat and sent into quarantine
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let SenderWithQuarantine = EmailEvents
| where LatestDeliveryLocation == "Quarantine"
@ -15,3 +19,4 @@ query: |
EmailEvents
| where LatestDeliveryLocation == "Inbox/folder"
| where SenderFromAddress in (SenderWithQuarantine)
version: 1.0.0

Просмотреть файл

@ -1,15 +1,18 @@
id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
name: New TABL Items
description: |
Identifies new items being added to the Tenant/Allow Block List (TABL). The output includes details about both Allow and Block entries.
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
description-detailed: |
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
- DefenseEvasion
relevantTechniques:
- T1484
- T1562
query: |
CloudAppEvents
| where ActionType == "New-TenantAllowBlockListItems"
@ -27,3 +30,4 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: AccountUpn
version: 1.0.0

Просмотреть файл

@ -0,0 +1,18 @@
id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
name: Emails containing links to IP addresses
description: |
This query helps hunting for Emails containing links to IP addresses
description-detailed: |
This query helps hunting for Emails containing links to IP addresses using Defedner for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
| where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
version: 1.0.0

Просмотреть файл

@ -0,0 +1,30 @@
id: e6259b03-622e-4e11-9c54-94987dad7c14
name: Good emails from senders with bad patterns
description: |
This query helps hunting for good emails from senders with bad patterns
description-detailed: |
This query helps hunting for good emails from senders with bad patterns using Defedner for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Good emails from senders with bad patterns
let PctPhishThreshold = 50;
let LookbackWindow = 1d;
EmailEvents
| where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
| where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
| summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
| project-away SenderMailFromAddress1,AuthenticationDetails1
| extend PctPhish = (PhishCount*100 / TotalCount)
| where PctPhish < 100 and PctPhish>= PctPhishThreshold
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72
name: Hunt for email conversation take over attempts
description: |
This query helps hunting for email conversation take over attempts
description-detailed: |
This query helps hunting for email conversation take over attempts using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
@ -32,4 +36,5 @@ query: |
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

Просмотреть файл

@ -2,13 +2,18 @@ id: 57f95ba7-938d-4a76-b411-c01034c0d167
name: Hunt for malicious URLs using external IOC source
description: |
This query helps hunt for emails with malicious URLs based on external IOC source
description-detailed: |
This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
@ -19,4 +24,5 @@ query: |
| where Timestamp > ago(2h)
) on $left.url == $right.Url
|join EmailEvents on NetworkMessageId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe
name: Hunt for malicious attachments using external IOC source
description: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
description-detailed: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let abuse_sha256 = (externaldata(sha256_hash: string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
@ -18,4 +23,5 @@ query: |
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
version: 1.0.0

Просмотреть файл

@ -2,14 +2,20 @@ id: 54569b06-47fc-41ae-9b00-f7d9b61337b6
name: Inbox rule changes which forward-redirect email
description: |
This query helps hunting for Inbox rule changes which forward-redirect email
description-detailed: |
This query helps hunting for Inbox rule changes which forward-redirect email
Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Persistence
- Persistence
relevantTechniques:
- T1098
query: |
CloudAppEvents
| where ActionType contains "Set-InboxRule"
|extend Parameters = tostring((parse_json(RawEventData)).Parameters)
|where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
|where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
version: 1.0.0

Просмотреть файл

@ -2,19 +2,25 @@ id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2
name: MDO_CountOfRecipientsEmailaddressbySubject
description: |
Count of recipient's email addresses by subject
description-detailed: |
Count of recipient's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
metadata:
source:
kind: Community
@ -23,4 +29,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

Просмотреть файл

@ -2,19 +2,25 @@ id: b95994d1-1008-4c42-a74f-9f2967e39ed6
name: MDO_CountOfSendersEmailaddressbySubject
description: |
Count of sender's email addresses by subject
description-detailed: |
Count of sender's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of sender's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountSenderFromAddress >= 10
| project SenderFromAddress, CountSenderFromAddress, Subject
//Count of sender's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountSenderFromAddress >= 10
| project SenderFromAddress, CountSenderFromAddress, Subject
metadata:
source:
kind: Community
@ -23,4 +29,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

Просмотреть файл

@ -1,20 +1,26 @@
id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4
name: MDO_Countofrecipientsemailaddressesbysubject
description: |
Count of recipient's email addresses by subject
Count of recipient's email addresses by subject
description-detailed: |
Count of recipient's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
metadata:
source:
kind: Community
@ -23,4 +29,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

Просмотреть файл

@ -2,20 +2,26 @@ id: a96c1571-1f7d-48dc-8287-7df5a5f0d987
name: MDO_SummaryOfSenders
description: |
Count of all Senders and where they were delivered
description-detailed: |
Count of all Senders and where they were delivered
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Distinct Count
EmailEvents
| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
//Distinct Count
EmailEvents
| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
Emails = count_distinct(DeliveryLocation == "Inbox/folder"),
JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress
//Count of all Senders and where they were delivered
EmailEvents
| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
//Count of all Senders and where they were delivered
EmailEvents
| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
Emails = count(DeliveryLocation == "Inbox/folder"),
JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress
metadata:
@ -26,4 +32,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

Просмотреть файл

@ -2,15 +2,21 @@ id: 2c6e7f75-d83c-4344-afdc-83335fe550e6
name: MDO_URLClickedinEmail
description: |
URLs clicked in Email
description-detailed: |
URLs clicked in Email
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ActionType == "ClickAllowed"
//| where ActionType <> "ClickAllowed"
| project AccountUpn, ActionType, Url
UrlClickEvents
| where ActionType == "ClickAllowed"
//| where ActionType <> "ClickAllowed"
| project AccountUpn, ActionType, Url
metadata:
source:
kind: Community
@ -19,4 +25,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6
name: Detections by detection methods
description: |
This query helps reviewing malicious email detections by detection methods
description-detailed: |
This query helps reviewing malicious email detections by detection methods in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(7d)
@ -38,3 +43,4 @@ query: |
Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d)
| project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain,
Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: da7b973a-0045-4fd6-9161-269369336d24
name: Mail reply to new domain
description: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
description-detailed: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
@ -33,3 +37,4 @@ query: |
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

Просмотреть файл

@ -2,15 +2,20 @@ id: 6b478186-da3b-4d71-beaa-aa5b42908499
name: Mailflow by directionality
description: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
description-detailed: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: da932998-81dd-4be4-963c-f4890cb4192e
name: Malicious emails detected per day
description: |
This query helps reviewing Malware, Phishing, Spam emails caught per day
description-detailed: |
This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
@ -22,3 +26,4 @@ query: |
'Spam')
| summarize total=count() by detection, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: b2beec6a-2c1c-4319-a191-e70c2ee42857
name: Sender recipient contact establishment
description: |
This query helps in checking the sender-recipient contact establishment status
description-detailed: |
This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(30d)
@ -28,3 +32,4 @@ query: |
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

Просмотреть файл

@ -1,16 +1,21 @@
id: 12225f50-9d41-4b78-8269-cc127d98654c
name: Top 100 malicious email senders
description: |
This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days
This query helps reviewing top 100 malicious senders
description-detailed: |
This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize total=count() by SenderMailFromAddress
| top 100 by total
version: 1.0.0

Просмотреть файл

@ -2,14 +2,19 @@ id: cadf6e78-2a9a-4fb5-b788-30a592d699d3
name: Top 100 senders
description: |
This query helps reviewing top 100 senders in your organization in last 30 days
description-detailed: |
This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| summarize mailCountBySender = count() by SenderMailFromAddress
| top 100 by mailCountBySender
version: 1.0.0

Просмотреть файл

@ -2,14 +2,19 @@ id: 95b0c7ed-2853-4343-80a9-ab076cf31e51
name: Zero day threats
description: |
This query helps reviewing zero day threats via URL and file detonations
description-detailed: |
This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation"
| count
version: 1.0.0

Просмотреть файл

@ -2,6 +2,8 @@ id: 439f817c-845c-4dda-a8d9-5c1f6831cee9
name: Email containing malware accessed on a unmanaged device
description: |
In this query, we looking for emails containing malware accessed on a unmanaged device
description-detailed: |
In this query, we looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -9,7 +11,9 @@ requiredDataConnectors:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Malware
- Execution
relevantTechniques:
- T1204
query: |
EmailPostDeliveryEvents
| where ActionType == "Malware ZAP"
@ -22,4 +26,5 @@ query: |
) on InternetMessageId
| where isnotempty(SessionId)
| join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
version: 1.0.0

Просмотреть файл

@ -2,14 +2,19 @@ id: 07c85687-6dee-4266-9345-1e34de85d989
name: Email containing malware sent by an internal sender
description: |
In this query, we looking for emails containing malware attachment sent by an internal sender
description-detailed: |
In this query, we looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Malware
- LateralMovement
relevantTechniques:
- T1534
query: |
EmailEvents
| where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
| where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
version: 1.0.0

Просмотреть файл

@ -2,13 +2,17 @@ id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea
name: Email malware detection report
description: |
This query helps reviewing email malware detection cases
description-detailed: |
This query helps reviewing email malware detection cases in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -19,3 +23,4 @@ query: |
| extend Case = array_length(ThreatFamily_wih_Attachment)
| project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment
| sort by Case desc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: a3619c75-a927-4dbb-91cc-9adc55e95bda
name: Malware detections by detection methods
description: |
This query helps reviewing malware detections by detection methods
description-detailed: |
This query helps reviewing malware detections by detection methods in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -25,3 +29,4 @@ query: |
)
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware
version: 1.0.0

Просмотреть файл

@ -2,14 +2,20 @@ id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8
name: Admin overrides
description: |
This query helps in reviewing malicious emails allowed due to admin overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where DeliveryLocation == "Inbox/folder"
| where isnotempty(ThreatTypes) and OrgLevelAction == "Allow"
| count
version: 1.0.0

Просмотреть файл

@ -2,13 +2,19 @@ id: c73ae295-d120-4f79-aaed-de005f766ad2
name: Top policies performing admin overrides
description: |
This query helps in reviewing top policies for admin overrides (Allow/Block)
description-detailed: |
This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow" //"Block"
| summarize count() by OrgLevelPolicy
version: 1.0.0

Просмотреть файл

@ -2,13 +2,19 @@ id: fe2cb53e-4eb3-4676-87c1-f80d2813f542
name: Top policies performing user overrides
description: |
This query helps in reviewing top policies for user overrides (Allow/Block)
description-detailed: |
This query helps in reviewing top policies for uswer defined detection overrides (Allow/Block)in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
| summarize count() by UserLevelPolicy
version: 1.0.0

Просмотреть файл

@ -2,14 +2,20 @@ id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9
name: User overrides
description: |
This query helps in reviewing malicious emails allowed due to user overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where DeliveryLocation == "Inbox/folder"
| where isnotempty(ThreatTypes) and UserLevelAction == "Allow"
| count
version: 1.0.0

Просмотреть файл

@ -1,6 +1,8 @@
id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808
name: Appspot Phishing Abuse
description: |
This query helps surface phishing campaigns associated with Appspot abuse.
description-detailed: |
This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.
This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800
Reference - https://twitter.com/MsftSecIntel
@ -10,7 +12,9 @@ requiredDataConnectors:
- EmailUrlInfo
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
// Detect URLs with a subdomain on appspot.com
@ -23,4 +27,5 @@ query: |
| where Url has RecipientEmailAddress
// Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
or Url has base64_encode_tostring(RecipientEmailAddress)
| project-away Timestamp1, NetworkMessageId1, ReportId1
| project-away Timestamp1, NetworkMessageId1, ReportId1
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: 9d59be10-54d9-478b-b669-fb4eb8517cd0
name: Phish detections by detection methods
description: |
This query helps reviewing detections done by some of the most frequent detection technologies in the last 7 days
This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days
description-detailed: |
This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(7d)
@ -32,3 +36,4 @@ query: |
)
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish
version: 1.0.0

Просмотреть файл

@ -1,13 +1,18 @@
id: 25150085-015a-4673-9b67-bc6ad9475500
name: Campaign with randomly named attachments
description: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients, typically more than 50, can potentially indicate a QR code phishing campaign
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
description-detailed: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where Timestamp > ago(7d)
@ -15,4 +20,5 @@ query: |
| where isnotempty(FileName)
| extend firstFourFileName = substring(FileName, 0, 4)
| summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
| where FirstFourFilesCount >= 10
| where FirstFourFilesCount >= 10
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 9b086a51-e396-4718-90d7-f7b3646e6581
name: Campaign with suspicious keywords
description: |
In this detection, we track emails with suspicious keywords in subjects.
description-detailed: |
In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingKeywords = ()
{pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
@ -16,4 +21,5 @@ query: |
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| where Subject has_any (PhishingKeywords())
| where Subject has_any (PhishingKeywords())
version: 1.0.0

Просмотреть файл

@ -2,13 +2,18 @@ id: 516046e8-a460-4f7b-86eb-421d3a9cdff1
name: Custom detection-Emails with QR from non-prevalent senders
description: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
description-detailed: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let QRCode_emails = EmailUrlInfo
| where Timestamp > ago (2d)
@ -42,4 +47,5 @@ query: |
| where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
| join kind=inner senders_NMIDs on NetworkMessageId
| project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
QRCode_emails_from_non_prevalent_senders
QRCode_emails_from_non_prevalent_senders
version: 1.0.0

Просмотреть файл

@ -2,13 +2,18 @@ id: 594fe5a1-53b6-466b-86df-028366c3994e
name: Emails delivered having URLs from QR codes
description: |
In this query, we hunt for inbound emails delivered having URLs from QR codes
description-detailed: |
In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -16,4 +21,5 @@ query: |
| where DeliveryAction == "Delivered"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
version: 1.0.0

Просмотреть файл

@ -2,13 +2,18 @@ id: 706b711a-7622-40f1-9ebb-331d1a0ff697
name: Emails with QR codes and suspicious keywords in subject
description: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let SubjectKeywords = ()
{pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");};
@ -18,4 +23,5 @@ query: |
| where DeliveryAction == "Delivered"
| where Subject has_any (SubjectKeywords)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where UrlLocation == "QRCode"
version: 1.0.0

Просмотреть файл

@ -2,13 +2,18 @@ id: f708c866-073a-4107-a60b-ba6f86e54caa
name: Emails with QR codes from non-prevalent sender
description: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let senderprevalence =
EmailEvents
@ -27,4 +32,5 @@ query: |
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| distinct SenderFromAddress,Url,NetworkMessageId;
QR_from_non_prevalent
QR_from_non_prevalent
version: 1.0.0

Просмотреть файл

@ -2,13 +2,17 @@ id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525
name: Hunting for sender patterns
description: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
description-detailed: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingSenderDisplayNames = ()
{
@ -39,4 +43,5 @@ query: |
| distinct SenderFromDomain);
suspiciousEmails
| where SenderFromDomain !in (prevalentSenders)
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: 8c852f12-499f-499b-afc1-25c50aa9b462
name: Hunting for user signals-clusters
description: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify th escope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
description-detailed: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let suspiciousClusters = EmailEvents
| where Timestamp > ago(7d)
@ -18,4 +22,5 @@ query: |
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where EmailClusterId in (suspiciousClusters)
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
version: 1.0.0

Просмотреть файл

@ -2,13 +2,18 @@ id: f6354c94-3a95-4235-8530-414f016a7bf6
name: Inbound emails with QR code URLs
description: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
description-detailed: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -16,4 +21,5 @@ query: |
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
| render timechart
| render timechart
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310
name: Personalized campaigns based on the first few keywords
description: |
In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
@ -17,4 +21,5 @@ query: |
| extend words = split(Subject," ")
| project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
| where SubjectsCount >= 10
| where SubjectsCount >= 10
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: 54d3455d-27e0-4ceb-99f9-375abd620151
name: Personalized campaigns based on the last few keywords
description: |
In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
@ -17,4 +21,5 @@ query: |
| extend words = split(Subject," ")
| project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
| where SubjectsCount >= 10
| where SubjectsCount >= 10
version: 1.0.0

Просмотреть файл

@ -1,13 +1,18 @@
id: 8d298b5c-feca-4add-bd42-e43e0a317a88
name: Risky sign-in attempt from a non-managed device
description: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
description-detailed: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
AADSignInEventsBeta
| where Timestamp > ago(7d)
@ -22,4 +27,5 @@ query: |
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
version: 1.0.0

Просмотреть файл

@ -1,14 +1,19 @@
id: 3131d0ba-32c9-483e-a25c-82e26a07e116
name: Suspicious sign-in attempts from QR code phishing campaigns
description: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
description-detailed: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let successfulRiskySignIn = materialize(AADSignInEventsBeta
| where Timestamp > ago(1d)
@ -38,4 +43,5 @@ query: |
| extend items = folders.FolderItems
| mv-expand items
| extend InternetMessageId = tostring(items.InternetMessageId)
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
version: 1.0.0

Просмотреть файл

@ -1,14 +1,18 @@
id: a12cac64-ea6d-46d4-91a6-262b165fb9ad
name: Group quarantine release
description: |
This query helps in reviewing group released messages by detection type. Useful to see what is leading to the largest number of messages being released.
This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
description-detailed: |
This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
@ -17,3 +21,5 @@ query: |
| join EmailEvents on NetworkMessageId
| summarize count() by DetectionMethods
| order by count_ desc
version: 1.0.0

Просмотреть файл

@ -1,14 +1,18 @@
id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc
name: High Confidence Phish Released
description: |
This query shows information about high confidence phish email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
This query shows information about high confidence phish email that has been released from the Quarantine.
description-detailed: |
This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
@ -19,4 +23,5 @@ query: |
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
| order by ReleaseTime asc
version: 1.0.0

Просмотреть файл

@ -1,14 +1,19 @@
id: 6f96f6d7-d972-421e-a59f-6b9a8de81324
name: Quarantine Release Email Details
description: |
This query shows information about email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
This query shows information about email that has been released from the Quarantine in Defender for Office 365.
description-detailed: |
This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
@ -18,4 +23,5 @@ query: |
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
| order by ReleaseTime asc
version: 1.0.0

Просмотреть файл

@ -1,16 +1,22 @@
id: 9f135aef-ad25-4df2-bdab-8399978a36a2
name: Quarantine release trend
description: |
This query helps reviewing quarantine release trend
This query helps reviewing quarantine release trend in Defender for Office 365
description-detailed: |
This query helps reviewing quarantine release trend in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| summarize count() by bin(Timestamp, 1d)
| project-rename Releases = count_
| render timechart with (title="Qurantine Releases by Day")
version: 1.0.0

Просмотреть файл

@ -1,6 +1,9 @@
id: 99713387-9d61-49eb-8edc-f51153d8bb01
name: Listing Email Remediation Actions via Explorer
description: |
Listing Email Remediation Actions perfomed via Explorer in Defender for Offie 365
description-detailed: |
Listing Email Remediation Actions perfomed via Explorer in Defender for Offie 365
- Track each cases with Network Message ID
- Sort the users who got a number of actions
- e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items
@ -8,7 +11,10 @@ requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics: []
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -23,4 +29,5 @@ query: |
| extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
| extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
| project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
| order by Sum_case desc
| order by Sum_case desc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c
name: Display Name - Spoof and Impersonation
description: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
description-detailed: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(24hrs)
@ -27,4 +31,5 @@ query: |
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

Просмотреть файл

@ -1,6 +1,8 @@
id: cdc4da1c-64a1-4941-be59-1f5cc85481ab
name: referral-phish-emails
description: |
Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
description-detailed: |
The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
@ -8,7 +10,9 @@ requiredDataConnectors:
- EmailEvents
- EmailUrlInfo
tactics:
- Credential Access
- InitialAccess
relevantTechniques:
- T1566
query: |
let EmailAddresses = pack_array
('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
@ -20,3 +24,4 @@ query: |
| extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
| where SenderFromDomain == RecipientDomain
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
version: 1.0.0

Просмотреть файл

@ -2,14 +2,20 @@ id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e
name: Spoof and impersonation detections by sender IP
description: |
This query helps reviewing count of spoof and impersonation detections done per sender IP
description-detailed: |
This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4
| summarize count() by SenderIPv4
version: 1.0.0

Просмотреть файл

@ -2,15 +2,21 @@ id: 011c3d48-f6ca-405f-9763-66c7856ad2ba
name: Spoof and impersonation phish detections
description: |
This query helps reviewing count of phish detections done by spoof detection methods
description-detailed: |
This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
| evaluate bag_unpack(DT)
| summarize count() by tostring(Phish)
version: 1.0.0

Просмотреть файл

@ -2,13 +2,17 @@ id: e90345b3-439c-44e1-a85d-8ae84ad9c65b
name: User not covered under display name impersonation
description: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
description-detailed: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- IdentityInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let display_names =
IdentityInfo
@ -21,3 +25,4 @@ query: |
| lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName
| where SenderDisplayName != ""
| summarize by SenderDisplayName
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49
name: Admin reported submissions
description: |
This query helps reviewing admin reported email submissions
description-detailed: |
This query helps reviewing admin reported email submissions in Defender for Offic e365
description-detailed: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -15,3 +20,4 @@ query: |
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29
| where ActionType == "AdminSubmission"
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: 1c390fd7-2668-4445-9b7d-055f3851be5f
name: Status of submissions
description: |
This query helps reviewing status of submissions
description-detailed: |
This query helps reviewing status of submissions in Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -18,3 +22,4 @@ query: |
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
| summarize count() by tostring(SubmissionState)
| sort by count_
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: 2d2351ca-e9a6-4286-b445-a9268189c1dc
name: Top submitters of admin submissions
description: |
This query helps reviewing top submitters of admin submissions
description-detailed: |
This query helps reviewing top submitters of admin submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -18,3 +22,4 @@ query: |
| where ActionType == "AdminSubmission"
| summarize count() by tostring(UserKey)
| sort by count_
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f
name: Top submitters of user submissions
description: |
This query helps reviewing top submitters of user submissions
description-detailed: |
This query helps reviewing top submitters of user submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -18,3 +22,4 @@ query: |
| where ActionType == "UserSubmission"
| summarize count() by tostring(UserKey)
| sort by count_
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: 0bd33643-c517-48b1-8211-25a7fbd15a50
name: User reported submissions
description: |
This query helps reviewing user reported email submissions
description-detailed: |
This query helps reviewing user reported email submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -15,3 +19,4 @@ query: |
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29
| where ActionType == "UserSubmission"
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: de480ca4-4095-4fef-b3e7-2a3f17f24e78
name: Attacked more than x times average
description: |
This query helps reviewing count of users attacked more than x times average. Update the value of x in the query to get desired results.
This query helps reviewing count of users attacked more than x times average.
description-detailed: |
This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let AverageThreatPerRecipient = toscalar(EmailEvents
| where DetectionMethods != ""
@ -17,3 +21,4 @@ query: |
| where DetectionMethods != ""
| summarize total=count() by RecipientEmailAddress
| where tolong(total) >= 1*AverageThreatPerRecipient // update "1"
version: 1.0.0

Просмотреть файл

@ -2,15 +2,20 @@ id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27
name: Malicious mails by sender IPs
description: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish
description-detailed: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize count() by SenderIPv4 //SenderIPv6
| sort by count_
version: 1.0.0

Просмотреть файл

@ -1,14 +1,18 @@
id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25
name: Top 10 URL domains attacking organization
description: |
This query helps reviewing list of top 10 URL domains attacking organization
This query helps reviewing list of top 10 URL domains attacking the organization
description-detailed: |
This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566 - Initial access
query: |
EmailEvents
| where ThreatTypes != ""
@ -20,3 +24,4 @@ query: |
| summarize total=count() by UrlDomain
| top 10 by total
| render columnchart
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58
name: Top 10% of most attacked users
description: |
This query helps reviewing the list of top 10% of most attacked users
description-detailed: |
This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let topTargeted = toscalar( EmailEvents
| where DetectionMethods != ""
@ -18,3 +22,4 @@ query: |
| summarize total=count() by RecipientEmailAddress
| where total >= topTargeted
| order by total desc
version: 1.0.0

Просмотреть файл

@ -2,15 +2,20 @@ id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2
name: Top external malicious senders
description: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| summarize count() by SenderFromAddress
| sort by count_
version: 1.0.0

Просмотреть файл

@ -2,15 +2,20 @@ id: a1664330-810a-473b-b354-acbaa751a294
name: Top targeted users
description: |
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
| summarize count() by RecipientEmailAddress
| sort by count_
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: d24e9c4a-b72a-4a85-89cd-83760ae61155
name: End user malicious clicks
description: |
This query helps reviewing list of top users click on Phis URLs
description-detailed: |
This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes contains "Phish"
@ -17,3 +21,4 @@ query: |
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by AccountUpn
| sort by Blocked desc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: 3f007cdc-86bf-4657-9015-05101a3e54f5
name: URL click count by click action
description: |
This query helps reviewing URL click count by ClickAction
description-detailed: |
This query helps reviewing URL click count by ClickAction using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| extend UrlBlocked = ActionType has_any("ClickBlocked")
@ -15,3 +19,4 @@ query: |
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough)
version: 1.0.0

Просмотреть файл

@ -2,6 +2,9 @@ id: efe27064-6d35-4720-b7f5-e0326695613d
name: URL click on ZAP email
description: |
In this query, we looking for Url clicks on emails wich get actioned by Zerohour auto purge
description-detailed: |
In this query, we looking for Url clicks on emails wich get actioned by Zerohour auto purge (ZAP) in Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -9,9 +12,12 @@ requiredDataConnectors:
- Alertinfo
- AlertEvidence
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
AlertInfo
| where Title contains "Email messages containing malicious URL removed after delivery" and Timestamp > ago (7d)
| join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId
| join UrlClickEvents on NetworkMessageId
| join UrlClickEvents on NetworkMessageId
version: 1.0.0

Просмотреть файл

@ -2,16 +2,21 @@ id: bc46e331-3cb0-483d-9c90-989d2a59457f
name: URL clicks actions by URL
description: |
In this query, we looking URL click actions by URL in th elast 7 days
description-detailed: |
In this query, we looking URL click actions by URL in th elast 7 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| extend UrlBlocked = ActionType has_any("ClickBlocked")
| extend UrlAllowed = ActionType has_any('ClickAllowed')
| extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress')
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url
version: 1.0.0

Просмотреть файл

@ -2,6 +2,8 @@ id: 03e61096-20d0-46eb-b8e0-a507dd00a19f
name: URLClick details based on malicious URL click alert
description: |
In this query, we looking for Url clicks on emails wich are generated the alert-A potentially malicious URL click was detected
description-detailed: |
In this query, we looking for Url clicks on emails wich are generated the alert-A potentially malicious URL click was detected in Defender for Offiec 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -9,9 +11,12 @@ requiredDataConnectors:
- Alertinfo
- AlertEvidence
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
AlertInfo
| where Title contains "Potentially malicious" and Timestamp > ago (30d)
| join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId
| join UrlClickEvents on NetworkMessageId
| join UrlClickEvents on NetworkMessageId
version: 1.0.0

Просмотреть файл

@ -1,15 +1,20 @@
id: f075d4c4-cf76-4e5d-9c2d-9ed524286316
name: User clicked through events
description: |
This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page
This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page.
description-detailed: |
This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page in Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
| where ThreatTypes has "Phish"
| summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes
version: 1.0.0

Просмотреть файл

@ -1,14 +1,18 @@
id: 891f4865-75e5-4d40-bc24-ebf97da3ca9a
name: User clicks on malicious inbound emails
description: |
This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days.
This query provides insights on users who clicked on a suspicious URL
description-detailed: |
This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days using Defender for Office 365 Data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let UrlClicked = (UrlClickEvents
| where ActionType == "ClickAllowed" or IsClickedThrough !="0"
@ -21,3 +25,4 @@ query: |
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| join kind = inner UrlClicked on NetworkMessageId
| project Timestamp,NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, ThreatTypes, ActionType, Url, UrlChain, Device_IPv4, LatestDeliveryLocation, LatestDeliveryAction, EmailAction, EmailActionPolicy
version: 1.0.0

Просмотреть файл

@ -1,6 +1,8 @@
id: d823da0e-1334-4a66-8ff4-2c2c40d26295
name: User clicks on phishing URLs in emails
description: |
This query helps in determining clickthroughs when email delivered because of detetcion overrides.
description-detailed: |
This query helps in determining clickthroughs, potential deliveries through User/Tenant overrides and detection details for malicious clicks on URLs in emails
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
@ -8,9 +10,12 @@ requiredDataConnectors:
- EmailEvents
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes has "Phish"
| join EmailEvents on NetworkMessageId, $left.AccountUpn == $right.RecipientEmailAddress
| project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction
version: 1.0.0

Просмотреть файл

@ -1,18 +1,23 @@
id: 08aff8c6-b983-43a3-be95-68a10c3d35e6
name: PhishingEmailUrlRedirector (1)
description: |
The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
description-detailed: |
The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection.
This query was originally published on Twitter, by @MsftSecIntel.
The query helps detect emails associated with the open redirector URL campaign. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection.
Reference - https://twitter.com/MsftSecIntel
Reference - https://twitter.com/MsftSecIntel
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
//This regex identifies emails containing the "T-Dot" redirector pattern in the URL
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"
//This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)"
version: 1.0.0

Просмотреть файл

@ -1,13 +1,18 @@
id: 492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9
name: SafeLinks URL detections
description: |
This query provides insights on the detections done by SafeLinks protection
This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
description-detailed: |
This query provides insights on the detections done by SafeLinks protection in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-links-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
@ -15,3 +20,4 @@ query: |
| where detection == '["URL detonation reputation"]' or detection == '["URL detonation"]'
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

Просмотреть файл

@ -2,14 +2,19 @@ id: c10b22a0-6021-46f9-bdaf-05bf2350a554
name: Total ZAP count
description: |
This query helps reviewing count of total ZAP events
description-detailed: |
This query helps reviewing count of total ZAP events in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailPostDeliveryEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailPostDeliveryEvents
| where Timestamp > ago(30d)
| where ActionType == "Phish ZAP" or ActionType == "Malware ZAP"
| count
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 518e6938-10ef-4165-af19-82f1287141bc
name: ATP policy status check
description: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
description-detailed: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where Application == "Microsoft Exchange Online"
@ -19,3 +24,4 @@ query: |
| extend packed = pack(Name, Value)
| summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
| evaluate bag_unpack(PackedInfo)
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
name: JNLP-File-Attachment
description: |
JNLP file extensions are an uncommon file type often used to deliver malware.
description-detailed: |
JNLP file extensions are an uncommon file type often used to deliver malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where FileName endswith ".jnlp"
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05
name: Safe Attachments detections
description: |
This query provides insights on the detections done by Safe Attachment detections
description-detailed: |
This query provides insights on the detections done by Safe Attachment detections.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
@ -15,3 +20,4 @@ query: |
| where detection has "File detonation reputation" or detection has "File detonation"
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
name: Authentication failures by time and authentication type
description: |
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
description-detailed: |
This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (30d)
@ -15,3 +20,4 @@ query: |
| evaluate bag_unpack(AR)
| where DMARC == "fail"
| summarize count() by bin(Timestamp, 1d)
version: 1.0.0

Просмотреть файл

@ -1,16 +1,22 @@
id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
name: Spoof attempts with auth failure
description: |
this query helps in checking for spoofing attempts on the domain with Authentication failures
This query helps in checking for spoofing attempts on the domain with Authentication failures
description-detailed: |
This query helps in checking for spoofing attempts on the domain with Authentication failures.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (1d) and DetectionMethods contains "spoof"
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames
| evaluate bag_unpack(AR)
| where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
version: 1.0.0

Просмотреть файл

@ -1,13 +1,18 @@
id: ba1a91ad-1f99-4386-b191-06a76ef213f8
name: Audit Email Preview-Download action
description: |
This query helps report on who Previewed/Downloaded email messages using Email entitiy page in MDO
This query helps report on who Previewed/Downloaded email messages using the Email entitiy page in Defender for Office 365
description-detailed: |
This query helps report on who Previewed/Downloaded email messages using the Email entitiy page in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege escalation
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
CloudAppEvents
| project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData)
@ -20,4 +25,5 @@ query: |
| extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
| summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
| extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
| project-away RowNumber
| project-away RowNumber
version: 1.0.0

Просмотреть файл

@ -1,14 +1,20 @@
id: bc2d8214-afb6-4876-b210-25b69325b9b2
name: Hunt for TABL changes
description: |
This query helps hunting for Tenant allow/block list (TABL) changes in MDO
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
description-detailed: |
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Defense evasion
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType contains "TenantAllowBlockListItems"
| order by Timestamp desc
| order by Timestamp desc
version: 1.0.0

Просмотреть файл

@ -1,15 +1,20 @@
id: 712ffdd8-ddce-4372-85dd-063029b418cf
name: Local time to UTC time conversion
description: |
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
description-detailed: |
This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
| where DeliveryAction == "Delivered"
| where LatestDeliveryLocation == "Quarantine"
version: 1.0.0

Просмотреть файл

@ -1,7 +1,10 @@
id: deb4b2c6-c10e-4044-8cf4-84243e40db73
name: MDO daily detection summary report
description: |
This query helps report daily on total # of emails, total # of emails detected as Malware, Phish, Spam, Bulk, total number of user/admin submissions, total # of ZAP events, total # of AIR investigations and their result
This query helps report daily on total number of emails, total numboer of emails detected aby Defender for Office 365
description-detailed: |
This query helps report daily on total number of emails, total numboer of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -10,7 +13,9 @@ requiredDataConnectors:
- EmailEvents
- EmailPostDeliveryEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let QueryTime = 30d;
let Reports = CloudAppEvents
@ -57,4 +62,5 @@ query: |
| join kind=fullouter ThreatByAutomation on Date_value
| sort by Date_value asc
| project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
version: 1.0.0

Просмотреть файл

@ -2,15 +2,20 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
name: Mail item accessed
description: |
This query helps reviewing emails accessed by end users using cloud app events data
description-detailed: |
This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| where Record == 50
| take 10
version: 1.0.0

Просмотреть файл

@ -1,13 +1,17 @@
id: 63c799bc-7567-4e4d-97be-e143fcfaa333
name: Malicious email senders
description: |
This query helps reviewing emails from sender with atleast one email in quarantine
This query helps hunting for emails from a sender with atleast one email in quarantine
description-detailed: |
This query helps hunting for emails from a sender with atleast one email detected with a threat and sent into quarantine
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let SenderWithQuarantine = EmailEvents
| where LatestDeliveryLocation == "Quarantine"
@ -15,3 +19,4 @@ query: |
EmailEvents
| where LatestDeliveryLocation == "Inbox/folder"
| where SenderFromAddress in (SenderWithQuarantine)
version: 1.0.0

Просмотреть файл

@ -1,15 +1,18 @@
id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
name: New TABL Items
description: |
Identifies new items being added to the Tenant/Allow Block List (TABL). The output includes details about both Allow and Block entries.
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
description-detailed: |
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
- DefenseEvasion
relevantTechniques:
- T1484
- T1562
query: |
CloudAppEvents
| where ActionType == "New-TenantAllowBlockListItems"
@ -27,3 +30,4 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: AccountUpn
version: 1.0.0

Просмотреть файл

@ -2,12 +2,17 @@ id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
name: Emails containing links to IP addresses
description: |
This query helps hunting for Emails containing links to IP addresses
description-detailed: |
This query helps hunting for Emails containing links to IP addresses using Defedner for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
| where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
| where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
version: 1.0.0

Просмотреть файл

@ -2,12 +2,16 @@ id: e6259b03-622e-4e11-9c54-94987dad7c14
name: Good emails from senders with bad patterns
description: |
This query helps hunting for good emails from senders with bad patterns
description-detailed: |
This query helps hunting for good emails from senders with bad patterns using Defedner for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
//Good emails from senders with bad patterns
let PctPhishThreshold = 50;
@ -22,4 +26,5 @@ query: |
| project-away SenderMailFromAddress1,AuthenticationDetails1
| extend PctPhish = (PhishCount*100 / TotalCount)
| where PctPhish < 100 and PctPhish>= PctPhishThreshold
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
version: 1.0.0

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше