Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

resolved merge conflicts

This commit is contained in:
niralishah-crest 2024-09-23 12:10:27 +05:30
Родитель 7c59cbb06e fca46489b5
Коммит e83d5c5233
403 изменённых файлов: 13308 добавлений и 5677 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -247,5 +247,6 @@
"WindowsFirewallAma",
"1Password",
"RadiflowIsid",
"CustomLogsAma"
"CustomLogsAma",
"SilverfortAma"
]

40
DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md Normal file
Просмотреть файл

@ -0,0 +1,40 @@
# Function app manual deployment instructions
- Start VS Code. Choose File in the main menu and select Open Folder.
- Select the top level folder from extracted files.
- Choose the Azure icon in the Activity bar, if you aren't already signed in, choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose Sign in to Azure
- If you're already signed in, go to the next step.
- Provide the following information at the prompts:
a. **Select folder**: Choose a folder from your workspace or browse to one that contains your function app.
b. **Select Subscription**: Choose the subscription to use under resources.
![Select Subscription](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/subscription.png)
c. Right click on the functions and select **Create new Function App in Azure** (Don't choose the Advanced option)
![Create new Function App in Azure](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/CreatenewFunctionApp.png)
d. **Enter a globally unique name for the function app**: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. UmbrellaXYZ).
![Enter a globally unique name](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/globallyuniquename.png)
e. **Select a runtime**: Choose Python 3.9.
![Select a runtime](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectaruntime.png)
f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.
![Select a location for new resources](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectalocation.png)
- Deployment will begin. A notification is displayed after your function app is created.
- Deploy the function in Function app: Once the function app is created click on deploy button under workspace section. Select the Subcription and the function app in which function needs to be deployed.
![Deploy the function in Function app](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Deploythefunction.png)
- Go to Azure Portal for the Function App configuration.

20
Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML
Просмотреть файл

@ -5,17 +5,17 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
- DeviceInfo
query: |
//Find out of date clients
DeviceInfo
| where OSPlatform contains "Windows"
| summarize arg_max(Timestamp, *) by DeviceId
| extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7))
| where MajorClientVersion < 10.8500
| where OnboardingStatus == "Onboarded"
| project-reorder ClientVersion
version: 1.0.0
//Find out of date clients
DeviceInfo
| where OSPlatform contains "Windows"
| summarize arg_max(Timestamp, *) by DeviceId
| extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7))
| where MajorClientVersion < 10.8500
| where OnboardingStatus == "Onboarded"
| project-reorder ClientVersion
version: 1.0.1
metadata:
source:
kind: Community

16
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML
Просмотреть файл

@ -5,15 +5,15 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceEvents
query: |
//List all the scan types and device name of those scans
DeviceEvents
| where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled")
| extend A=parse_json(AdditionalFields)
| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User
| sort by Timestamp desc
version: 1.0.0
//List all the scan types and device name of those scans
DeviceEvents
| where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled")
| extend A=parse_json(AdditionalFields)
| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User
| sort by Timestamp desc
version: 1.0.1
metadata:
source:
kind: Community

16
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML
Просмотреть файл

@ -5,15 +5,15 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceEvents
query: |
DeviceEvents
| where ActionType startswith "ASR"
| extend Fields=parse_json(AdditionalFields)
| extend IsAudit = tostring(Fields.IsAudit)
| where IsAudit == "false"
| project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId
version: 1.0.0
DeviceEvents
| where ActionType startswith "ASR"
| extend Fields=parse_json(AdditionalFields)
| extend IsAudit = tostring(Fields.IsAudit)
| where IsAudit == "false"
| project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId
version: 1.0.1
metadata:
source:
kind: Community

12
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML
Просмотреть файл

@ -5,13 +5,13 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceFileEvents
query: |
DeviceFileEvents
| where FileOriginReferrerUrl <> ""
| where FileName contains ".crx"
| project DeviceName, FileName, FolderPath, FileOriginReferrerUrl
version: 1.0.0
DeviceFileEvents
| where FileOriginReferrerUrl <> ""
| where FileName contains ".crx"
| project DeviceName, FileName, FolderPath, FileOriginReferrerUrl
version: 1.0.1
metadata:
source:
kind: Community

32
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML
Просмотреть файл

@ -5,23 +5,23 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSecureConfigurationAssessment
- DeviceTvmSecureConfigurationAssessment
query: |
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2', 'SxS Passive' ,'Unknown'))))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
version: 1.0.0
let avmodetable = DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2010" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2', 'SxS Passive' ,'Unknown'))))
| project DeviceId, AVMode;
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-2011" and isnotnull(Context)
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
| join avmodetable on DeviceId
| project-away DeviceId1
version: 1.0.1
metadata:
source:
kind: Community

24
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML
Просмотреть файл

@ -5,34 +5,34 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceEvents
query: |
let LastLogins=DeviceLogonEvents
let LastLogins=DeviceLogonEvents
| where LogonType == "Interactive"
| where InitiatingProcessParentFileName == "wininit.exe"
| summarize LastLogon=arg_max(Timestamp, *) by AccountName, DeviceName
| project AccountName, DeviceName, LastLogon;
let Logins=DeviceLogonEvents
let Logins=DeviceLogonEvents
| where LogonType == "Interactive"
| where InitiatingProcessParentFileName == "wininit.exe"
| summarize Logins=count() by AccountName, DeviceName
| project AccountName, Logins, DeviceName;
let NetworkInfo=DeviceNetworkInfo
let NetworkInfo=DeviceNetworkInfo
| where IPv4Dhcp <> ""
| mvexpand parse_json(IPAddresses)
| where IPAddresses.IPAddress !contains ":"
| summarize arg_max(Timestamp, *) by DeviceName
| project DeviceName, IPAddress=IPAddresses.IPAddress, Timestamp;
Logins
| join kind=inner ( LastLogins
Logins
| join kind=inner ( LastLogins
| project AccountName, DeviceName, LastLogon
) on DeviceName, AccountName
| join kind=leftouter ( NetworkInfo
) on DeviceName, AccountName
| join kind=leftouter ( NetworkInfo
| project DeviceName, IPAddress, Timestamp
) on DeviceName
| project AccountName, DeviceName, LastLogon, Logins, IPAddress
| sort by DeviceName
version: 1.0.0
) on DeviceName
| project AccountName, DeviceName, LastLogon, Logins, IPAddress
| sort by DeviceName
version: 1.0.1
metadata:
source:
kind: Community

32
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML
Просмотреть файл

@ -5,52 +5,52 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertEvidence
- AlertEvidence
query: |
//Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
let _F = AlertEvidence
//Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
let _F = AlertEvidence
| where DeviceName == "Yourendpointhere"
| distinct AlertId;
let _Process = AlertEvidence
let _Process = AlertEvidence
| where EntityType == "Process"
| join kind=inner _F
on $left.AlertId == $right.AlertId
| order by Timestamp, AlertId
| project AlertId, FileName, FolderPath, SHA1, SHA256, FileSize, ProcessCommandLine, AdditionalFields;
let _IP = AlertEvidence
let _IP = AlertEvidence
| where EntityType == "Ip"
| join kind=inner _F
on $left.AlertId == $right.AlertId
| order by Timestamp, AlertId
| project AlertId, RemoteIP, AdditionalFields;
let _URL = AlertEvidence
let _URL = AlertEvidence
| where EntityType == "Url"
| join kind=inner _F
on $left.AlertId == $right.AlertId
| order by Timestamp, AlertId
| project AlertId, RemoteUrl, AdditionalFields;
let _User = AlertEvidence
let _User = AlertEvidence
| where EntityType == "User"
| join kind=inner _F
on $left.AlertId == $right.AlertId
| order by Timestamp, AlertId
| project AlertId, AccountName, AccountDomain, AccountSid, AccountUpn, AdditionalFields;
let _Machine = AlertEvidence
let _Machine = AlertEvidence
| where EntityType == "Machine"
| join kind=inner _F
on $left.AlertId == $right.AlertId
| order by Timestamp, AlertId
| project AlertId, DeviceName, LocalIP, AdditionalFields;
_Machine
| join _F on $left.AlertId == $right.AlertId
| join _IP on $left.AlertId == $right.AlertId
| join _Process on $left.AlertId == $right.AlertId
| join _URL on $left.AlertId == $right.AlertId
| join _User on $left.AlertId == $right.AlertId
| distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn,
_Machine
| join _F on $left.AlertId == $right.AlertId
| join _IP on $left.AlertId == $right.AlertId
| join _Process on $left.AlertId == $right.AlertId
| join _URL on $left.AlertId == $right.AlertId
| join _User on $left.AlertId == $right.AlertId
| distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn,
DeviceName, LocalIP, FileSize, FolderPath, SHA1, SHA256, ProcessCommandLine,
RemoteIP, RemoteUrl
version: 1.0.0
version: 1.0.1
metadata:
source:
kind: Community

20
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML
Просмотреть файл

@ -5,18 +5,18 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceBaselineComplianceAssessment
- DeviceBaselineComplianceAssessment
query: |
//Find Windows Defender Settings
DeviceBaselineComplianceAssessment
| where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\"
| project DeviceName, Source, CurrentValue
//Find Windows Defender Settings
DeviceBaselineComplianceAssessment
| where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\"
| project DeviceName, Source, CurrentValue
//Find Windows Defender Security Center Settings
DeviceBaselineComplianceAssessment
| where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
| project DeviceName, Source, CurrentValue
version: 1.0.0
//Find Windows Defender Security Center Settings
DeviceBaselineComplianceAssessment
| where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
| project DeviceName, Source, CurrentValue
version: 1.0.1
metadata:
source:
kind: Community

14
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML
Просмотреть файл

@ -5,14 +5,14 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceFileEvents
query: |
//Find LNK files on certain devices
DeviceFileEvents
| where DeviceName == "EndpointNameHere"
| where FileName contains ".LNK"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath
version: 1.0.0
//Find LNK files on certain devices
DeviceFileEvents
| where DeviceName == "EndpointNameHere"
| where FileName contains ".LNK"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath
version: 1.0.1
metadata:
source:
kind: Community

22
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML
Просмотреть файл

@ -5,29 +5,29 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceFileEvents
query: |
//Find Mounted ISO files and drive letters
DeviceFileEvents
| where Timestamp > ago(1d)
| where FileName endswith "iso"
| project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath
| join kind = inner (
//Find Mounted ISO files and drive letters
DeviceFileEvents
| where Timestamp > ago(1d)
| where FileName endswith "iso"
| project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath
| join kind = inner (
DeviceFileEvents
| where Timestamp > ago(1d)
| where FileName endswith "lnk"
| extend ['LNK FileName'] = FileName
| project ['LNK FileName'], DeviceName
) on DeviceName
| join kind = inner (
| join kind = inner (
DeviceRegistryEvents
| where Timestamp > ago(1d)
| where RegistryKey contains "MountedDevices"
| project ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), DeviceName, RegistryValueName
) on DeviceName
| where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName)
| distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName
version: 1.0.0
| where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName)
| distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName
version: 1.0.1
metadata:
source:
kind: Community

14
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindsPowerShellExecutionEvents.YAML
Просмотреть файл

@ -5,18 +5,18 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceProcessEvents
query: |
// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "http:"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,DeviceId, ReportId
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,DeviceId, ReportId
metadata:
source:
kind: Community

24
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindstatuschangefromExposurelevel.YAML
Просмотреть файл

@ -5,19 +5,19 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
- DeviceInfo
query: |
//Find status change from Exposurelevel
DeviceInfo
| serialize
| where ExposureLevel == "High"
| where Timestamp > ago(12h)
| extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
| extend PrevExposureLevel = prev(ExposureLevel)
| where PrevExposureLevel <> ExposureLevel
| where ExposureLevel <> "Medium" or ExposureLevel <> "Low"
| where PrevExposureLevel <> "High"
| distinct DeviceName, ExposureLevel,PrevExposureLevel, DeviceId, Date, ReportId, Timestamp
//Find status change from Exposurelevel
DeviceInfo
| serialize
| where ExposureLevel == "High"
| where Timestamp > ago(12h)
| extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
| extend PrevExposureLevel = prev(ExposureLevel)
| where PrevExposureLevel <> ExposureLevel
| where ExposureLevel <> "Medium" or ExposureLevel <> "Low"
| where PrevExposureLevel <> "High"
| distinct DeviceName, ExposureLevel,PrevExposureLevel, DeviceId, Date, ReportId, Timestamp
metadata:
source:
kind: Community

20
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAlPnPDevicesAllowedorBlocked.YAML
Просмотреть файл

@ -5,17 +5,17 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceEvents
query: |
//List all PnP Devices that have been allowed or blocked
DeviceEvents
| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed"
| extend parsed=parse_json(AdditionalFields)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaDeviceId = tostring(parsed.MatchingDeviceId)
| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields
| order by Timestamp desc
//List all PnP Devices that have been allowed or blocked
DeviceEvents
| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed"
| extend parsed=parse_json(AdditionalFields)
| extend MediaClassGuid = tostring(parsed.ClassGuid)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaDeviceId = tostring(parsed.MatchingDeviceId)
| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields
| order by Timestamp desc
metadata:
source:
kind: Community

14
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAllNotOnboardedEnpoints.YAML
Просмотреть файл

@ -5,14 +5,14 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
- DeviceInfo
query: |
//List all devices that are not onboarded
DeviceInfo
| extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
| where OnboardingStatus <> "Onboarded"
| where Timestamp > ago(1d)
| distinct DeviceName, Date, OnboardingStatus, Timestamp
//List all devices that are not onboarded
DeviceInfo
| extend Date = format_datetime(Timestamp, "MM/dd/yyyy")
| where OnboardingStatus <> "Onboarded"
| where Timestamp > ago(1d)
| distinct DeviceName, Date, OnboardingStatus, Timestamp
metadata:
source:
kind: Community

14
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport-DNS.YAML
Просмотреть файл

@ -5,14 +5,14 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceNetworkEvents
query: |
//Network traffic going to DNS(Port 53)
DeviceNetworkEvents
| where RemotePort == "53"
| where RemoteUrl <> ""
| project Timestamp, DeviceName, RemotePort, RemoteUrl
version: 1.0.0
//Network traffic going to DNS(Port 53)
DeviceNetworkEvents
| where RemotePort == "53"
| where RemoteUrl <> ""
| project Timestamp, DeviceName, RemotePort, RemoteUrl
version: 1.0.1
metadata:
source:
kind: Community

12
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport.YAML
Просмотреть файл

@ -5,13 +5,13 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceNetworkEvents
query: |
//Network traffic going to port 80 and 443
DeviceNetworkEvents
| where RemotePort == "80" or RemotePort == "443"
| project Timestamp, DeviceName, RemotePort, RemoteIP, RemoteUrl
version: 1.0.0
//Network traffic going to port 80 and 443
DeviceNetworkEvents
| where RemotePort == "80" or RemotePort == "443"
| project Timestamp, DeviceName, RemotePort, RemoteIP, RemoteUrl
version: 1.0.1
metadata:
source:
kind: Community

10
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ProxyChangesViaRegistry.YAML
Просмотреть файл

@ -5,12 +5,12 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
- DeviceRegistryEvents
query: |
//Detect Proxy configurations changes on endpoints
DeviceRegistryEvents
| where RegistryValueName contains "AutoConfigURL" or RegistryValueName contains "Proxy"
| project DeviceName, RegistryKey, RegistryValueName,RegistryValueData
//Detect Proxy configurations changes on endpoints
DeviceRegistryEvents
| where RegistryValueName contains "AutoConfigURL" or RegistryValueName contains "Proxy"
| project DeviceName, RegistryKey, RegistryValueName,RegistryValueData
metadata:
source:
kind: Community

12
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedDevicesAndDriveLetter.YAML
Просмотреть файл

@ -5,13 +5,13 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceEvents
query: |
//Show usb mounted devices and drive letters
DeviceEvents
| where ActionType contains "USB"
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| distinct DeviceName, ActionType, DriveLetter, Timestamp
//Show usb mounted devices and drive letters
DeviceEvents
| where ActionType contains "USB"
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| distinct DeviceName, ActionType, DriveLetter, Timestamp
metadata:
source:
kind: Community

18
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedandfilescopied.YAML
Просмотреть файл

@ -5,20 +5,20 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceEvents
query: |
//Show usb mounted and files copied
DeviceEvents
| where ActionType contains "USB"
| where Timestamp > ago(1d)
| project USBMountTime = Timestamp, DeviceName, DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (DeviceFileEvents
//Show usb mounted and files copied
DeviceEvents
| where ActionType contains "USB"
| where Timestamp > ago(1d)
| project USBMountTime = Timestamp, DeviceName, DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileCreated"
| parse FolderPath with DriveLetter '\\' *
| extend DriveLetter = tostring(DriveLetter))on DeviceName, DriveLetter
| project USBMountTime, DeviceName, DriveLetter, ActionType, FileName, FolderPath, FileSize
version: 1.0.0
| project USBMountTime, DeviceName, DriveLetter, ActionType, FileName, FolderPath, FileSize
version: 1.0.1
metadata:
source:
kind: Community

24
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SmartScreenCheck.YAML
Просмотреть файл

@ -5,23 +5,23 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceNetworkEvents
query: |
DeviceNetworkEvents
| where RemoteUrl <> ""
| extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt')
| join kind=leftouter (DeviceEvents
DeviceNetworkEvents
| where RemoteUrl <> ""
| extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt')
| join kind=leftouter (DeviceEvents
| where ActionType == 'SmartScreenUrlWarning' or ActionType == 'ExploitGuardNetworkProtectionBlocked'
| extend A=parse_json(AdditionalFields)
| extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt')
) on DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountName, TimeStampformated
| where InitiatingProcessFileName == "msedge.exe" or InitiatingProcessFileName == "chrome.exe"
//| where RemoteUrl contains "facebook"
//| where InitiatingProcessAccountName contains "Matt"
//| where ActionType1 <> ""
| distinct TimeStampformated,DeviceName, Action=ActionType1, URL_IPAddress=RemoteIP, URL=RemoteUrl, Username=InitiatingProcessAccountName, Browser=InitiatingProcessFileName
| order by TimeStampformated desc
version: 1.0.0
| where InitiatingProcessFileName == "msedge.exe" or InitiatingProcessFileName == "chrome.exe"
//| where RemoteUrl contains "facebook"
//| where InitiatingProcessAccountName contains "Matt"
//| where ActionType1 <> ""
| distinct TimeStampformated,DeviceName, Action=ActionType1, URL_IPAddress=RemoteIP, URL=RemoteUrl, Username=InitiatingProcessAccountName, Browser=InitiatingProcessFileName
| order by TimeStampformated desc
version: 1.0.1
metadata:
source:
kind: Community

12
Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SoftwareInventorybyOS.YAML
Просмотреть файл

@ -5,13 +5,13 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareInventory
- DeviceTvmSoftwareInventory
query: |
//Software Inventory by OS
DeviceTvmSoftwareInventory
| where OSPlatform contains "iOS"
| project DeviceName,SoftwareName, SoftwareVendor, SoftwareVersion
version: 1.0.0
//Software Inventory by OS
DeviceTvmSoftwareInventory
| where OSPlatform contains "iOS"
| project DeviceName,SoftwareName, SoftwareVendor, SoftwareVersion
version: 1.0.1
metadata:
source:
kind: Community

42
Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Objects_Moving_OUs.YAML
Просмотреть файл

@ -5,31 +5,31 @@ description: |
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityDirectoryEvents
- IdentityDirectoryEvents
tactics:
- Credential Access
query: |
//Moving User Objects to different OUs
IdentityDirectoryEvents
| where ActionType == 'Account Path changed'
| extend parsed=parse_json(AdditionalFields)
| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
| extend Affected_User = iff( isnull(AdditionalFields.["TARGET_OBJECT.USER"]), AdditionalFields.["TARGET_OBJECT.USER"], AdditionalFields.["TARGET_OBJECT.USER"])
| where TargetDeviceName == ""
| project Timestamp, ActionType, INITIATED_BY, Affected_User, FROM_Account_Path, TO_Account_Path, AdditionalFields
//Moving User Objects to different OUs
IdentityDirectoryEvents
| where ActionType == 'Account Path changed'
| extend parsed=parse_json(AdditionalFields)
| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
| extend Affected_User = iff( isnull(AdditionalFields.["TARGET_OBJECT.USER"]), AdditionalFields.["TARGET_OBJECT.USER"], AdditionalFields.["TARGET_OBJECT.USER"])
| where TargetDeviceName == ""
| project Timestamp, ActionType, INITIATED_BY, Affected_User, FROM_Account_Path, TO_Account_Path, AdditionalFields
//Moving Computer Objects to different OUs
IdentityDirectoryEvents
| where ActionType == 'Account Path changed'
| extend parsed=parse_json(AdditionalFields)
| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
| where TargetDeviceName <> ""
| project Timestamp, ActionType, INITIATED_BY, TargetDeviceName, FROM_Account_Path, TO_Account_Path, AdditionalFields
version: 1.0.0
//Moving Computer Objects to different OUs
IdentityDirectoryEvents
| where ActionType == 'Account Path changed'
| extend parsed=parse_json(AdditionalFields)
| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"])
| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"])
| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"])
| where TargetDeviceName <> ""
| project Timestamp, ActionType, INITIATED_BY, TargetDeviceName, FROM_Account_Path, TO_Account_Path, AdditionalFields
version: 1.0.1
metadata:
source:
kind: Community

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: 518e6938-10ef-4165-af19-82f1287141bc
name: ATP policy status check
description: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
description-detailed: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where Application == "Microsoft Exchange Online"
@ -19,3 +24,4 @@ query: |
| extend packed = pack(Name, Value)
| summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
| evaluate bag_unpack(PackedInfo)
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
name: JNLP-File-Attachment
description: |
JNLP file extensions are an uncommon file type often used to deliver malware.
description-detailed: |
JNLP file extensions are an uncommon file type often used to deliver malware.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where FileName endswith ".jnlp"
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05
name: Safe Attachments detections
description: |
This query provides insights on the detections done by Safe Attachment detections
description-detailed: |
This query provides insights on the detections done by Safe Attachment detections.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
@ -15,3 +20,4 @@ query: |
| where detection has "File detonation reputation" or detection has "File detonation"
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
name: Authentication failures by time and authentication type
description: |
This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
description-detailed: |
This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (30d)
@ -15,3 +20,4 @@ query: |
| evaluate bag_unpack(AR)
| where DMARC == "fail"
| summarize count() by bin(Timestamp, 1d)
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml
Просмотреть файл

@ -1,16 +1,22 @@
id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
name: Spoof attempts with auth failure
description: |
this query helps in checking for spoofing attempts on the domain with Authentication failures
This query helps in checking for spoofing attempts on the domain with Authentication failures
description-detailed: |
This query helps in checking for spoofing attempts on the domain with Authentication failures.
Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago (1d) and DetectionMethods contains "spoof"
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames
| evaluate bag_unpack(AR)
| where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
version: 1.0.0

12
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml
Просмотреть файл

@ -1,13 +1,18 @@
id: ba1a91ad-1f99-4386-b191-06a76ef213f8
name: Audit Email Preview-Download action
description: |
This query helps report on who Previewed/Downloaded email messages using Email entitiy page in MDO
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
description-detailed: |
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege escalation
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
CloudAppEvents
| project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData)
@ -20,4 +25,5 @@ query: |
| extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
| summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
| extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
| project-away RowNumber
| project-away RowNumber
version: 1.0.0

12
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml
Просмотреть файл

@ -1,14 +1,20 @@
id: bc2d8214-afb6-4876-b210-25b69325b9b2
name: Hunt for TABL changes
description: |
This query helps hunting for Tenant allow/block list (TABL) changes in MDO
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
description-detailed: |
This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Defense evasion
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where ActionType contains "TenantAllowBlockListItems"
| order by Timestamp desc
| order by Timestamp desc
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml
Просмотреть файл

@ -1,15 +1,20 @@
id: 712ffdd8-ddce-4372-85dd-063029b418cf
name: Local time to UTC time conversion
description: |
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
description-detailed: |
This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
| where DeliveryAction == "Delivered"
| where LatestDeliveryLocation == "Quarantine"
version: 1.0.0

12
Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml
Просмотреть файл

@ -1,7 +1,10 @@
id: deb4b2c6-c10e-4044-8cf4-84243e40db73
name: MDO daily detection summary report
description: |
This query helps report daily on total # of emails, total # of emails detected as Malware, Phish, Spam, Bulk, total number of user/admin submissions, total # of ZAP events, total # of AIR investigations and their result
This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
description-detailed: |
This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -10,7 +13,9 @@ requiredDataConnectors:
- EmailEvents
- EmailPostDeliveryEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let QueryTime = 30d;
let Reports = CloudAppEvents
@ -57,4 +62,5 @@ query: |
| join kind=fullouter ThreatByAutomation on Date_value
| sort by Date_value asc
| project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
| where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml
Просмотреть файл

@ -2,15 +2,20 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
name: Mail item accessed
description: |
This query helps reviewing emails accessed by end users using cloud app events data
description-detailed: |
This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| where Record == 50
| take 10
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml
Просмотреть файл

@ -1,13 +1,17 @@
id: 63c799bc-7567-4e4d-97be-e143fcfaa333
name: Malicious email senders
description: |
This query helps reviewing emails from sender with atleast one email in quarantine
This query helps hunting for emails from a sender with at least one email in quarantine
description-detailed: |
This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let SenderWithQuarantine = EmailEvents
| where LatestDeliveryLocation == "Quarantine"
@ -15,3 +19,4 @@ query: |
EmailEvents
| where LatestDeliveryLocation == "Inbox/folder"
| where SenderFromAddress in (SenderWithQuarantine)
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml
Просмотреть файл

@ -1,15 +1,18 @@
id: 92b76a34-502e-4a53-93ec-9fc37c3b358c
name: New TABL Items
description: |
Identifies new items being added to the Tenant/Allow Block List (TABL). The output includes details about both Allow and Block entries.
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365.
description-detailed: |
This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries.
Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
- DefenseEvasion
relevantTechniques:
- T1484
- T1562
query: |
CloudAppEvents
| where ActionType == "New-TenantAllowBlockListItems"
@ -27,3 +30,4 @@ entityMappings:
fieldMappings:
- identifier: FullName
columnName: AccountUpn
version: 1.0.0

18
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml Normal file
Просмотреть файл

@ -0,0 +1,18 @@
id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
name: Emails containing links to IP addresses
description: |
This query helps hunting for Emails containing links to IP addresses
description-detailed: |
This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
| where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
version: 1.0.0

30
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml Normal file
Просмотреть файл

@ -0,0 +1,30 @@
id: e6259b03-622e-4e11-9c54-94987dad7c14
name: Good emails from senders with bad patterns
description: |
This query helps hunting for good emails from senders with bad patterns
description-detailed: |
This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Good emails from senders with bad patterns
let PctPhishThreshold = 50;
let LookbackWindow = 1d;
EmailEvents
| where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
| where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
| summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
| project-away SenderMailFromAddress1,AuthenticationDetails1
| extend PctPhish = (PhishCount*100 / TotalCount)
| where PctPhish < 100 and PctPhish>= PctPhishThreshold
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72
name: Hunt for email conversation take over attempts
description: |
This query helps hunting for email conversation take over attempts
description-detailed: |
This query helps hunting for email conversation take over attempts using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
@ -32,4 +36,5 @@ query: |
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml
Просмотреть файл

@ -2,13 +2,18 @@ id: 57f95ba7-938d-4a76-b411-c01034c0d167
name: Hunt for malicious URLs using external IOC source
description: |
This query helps hunt for emails with malicious URLs based on external IOC source
description-detailed: |
This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
@ -19,4 +24,5 @@ query: |
| where Timestamp > ago(2h)
) on $left.url == $right.Url
|join EmailEvents on NetworkMessageId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe
name: Hunt for malicious attachments using external IOC source
description: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
description-detailed: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let abuse_sha256 = (externaldata(sha256_hash: string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
@ -18,4 +23,5 @@ query: |
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml
Просмотреть файл

@ -2,14 +2,20 @@ id: 54569b06-47fc-41ae-9b00-f7d9b61337b6
name: Inbox rule changes which forward-redirect email
description: |
This query helps hunting for Inbox rule changes which forward-redirect email
description-detailed: |
This query helps hunting for Inbox rule changes which forward-redirect email
Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Persistence
- Persistence
relevantTechniques:
- T1098
query: |
CloudAppEvents
| where ActionType contains "Set-InboxRule"
|extend Parameters = tostring((parse_json(RawEventData)).Parameters)
|where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
|where Parameters contains "ForwardTo" or Parameters contains "RedirectTo"
version: 1.0.0

27
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML
Просмотреть файл

@ -2,19 +2,25 @@ id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2
name: MDO_CountOfRecipientsEmailaddressbySubject
description: |
Count of recipient's email addresses by subject
description-detailed: |
Count of recipient's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
metadata:
source:
kind: Community
@ -23,4 +29,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

27
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML
Просмотреть файл

@ -2,19 +2,25 @@ id: b95994d1-1008-4c42-a74f-9f2967e39ed6
name: MDO_CountOfSendersEmailaddressbySubject
description: |
Count of sender's email addresses by subject
description-detailed: |
Count of sender's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of sender's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountSenderFromAddress >= 10
| project SenderFromAddress, CountSenderFromAddress, Subject
//Count of sender's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountSenderFromAddress=count() by SenderFromAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountSenderFromAddress >= 10
| project SenderFromAddress, CountSenderFromAddress, Subject
metadata:
source:
kind: Community
@ -23,4 +29,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

29
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML
Просмотреть файл

@ -1,20 +1,26 @@
id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4
name: MDO_Countofrecipientsemailaddressesbysubject
description: |
Count of recipient's email addresses by subject
Count of recipient's email addresses by subject
description-detailed: |
Count of recipient's email addresses by subject
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
//Count of recipient's email addresses by subject
EmailEvents
//Change the date for as far back as you want to go
| where Timestamp > ago(10d)
| summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject
//Change the Count of how many times the email with the same subject has come in
| where CountRecipientEmailAddress >= 15
| project RecipientEmailAddress, CountRecipientEmailAddress, Subject
metadata:
source:
kind: Community
@ -23,4 +29,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

23
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML
Просмотреть файл

@ -2,20 +2,26 @@ id: a96c1571-1f7d-48dc-8287-7df5a5f0d987
name: MDO_SummaryOfSenders
description: |
Count of all Senders and where they were delivered
description-detailed: |
Count of all Senders and where they were delivered
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//Distinct Count
EmailEvents
| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
//Distinct Count
EmailEvents
| summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"),
Emails = count_distinct(DeliveryLocation == "Inbox/folder"),
JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress
//Count of all Senders and where they were delivered
EmailEvents
| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
//Count of all Senders and where they were delivered
EmailEvents
| summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"),
Emails = count(DeliveryLocation == "Inbox/folder"),
JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress
metadata:
@ -26,4 +32,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

19
Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML
Просмотреть файл

@ -2,15 +2,21 @@ id: 2c6e7f75-d83c-4344-afdc-83335fe550e6
name: MDO_URLClickedinEmail
description: |
URLs clicked in Email
description-detailed: |
URLs clicked in Email
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
- UrlClickEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ActionType == "ClickAllowed"
//| where ActionType <> "ClickAllowed"
| project AccountUpn, ActionType, Url
UrlClickEvents
| where ActionType == "ClickAllowed"
//| where ActionType <> "ClickAllowed"
| project AccountUpn, ActionType, Url
metadata:
source:
kind: Community
@ -19,4 +25,5 @@ metadata:
support:
tier: Community
categories:
domains: [ "Security" ]
domains: [ "Security" ]
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6
name: Detections by detection methods
description: |
This query helps reviewing malicious email detections by detection methods
description-detailed: |
This query helps reviewing malicious email detections by detection methods in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(7d)
@ -38,3 +43,4 @@ query: |
Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d)
| project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain,
Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: da7b973a-0045-4fd6-9161-269369336d24
name: Mail reply to new domain
description: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
description-detailed: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
@ -33,3 +37,4 @@ query: |
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml
Просмотреть файл

@ -2,15 +2,20 @@ id: 6b478186-da3b-4d71-beaa-aa5b42908499
name: Mailflow by directionality
description: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
description-detailed: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: da932998-81dd-4be4-963c-f4890cb4192e
name: Malicious emails detected per day
description: |
This query helps reviewing Malware, Phishing, Spam emails caught per day
description-detailed: |
This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
@ -22,3 +26,4 @@ query: |
'Spam')
| summarize total=count() by detection, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: b2beec6a-2c1c-4319-a191-e70c2ee42857
name: Sender recipient contact establishment
description: |
This query helps in checking the sender-recipient contact establishment status
description-detailed: |
This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(30d)
@ -28,3 +32,4 @@ query: |
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml
Просмотреть файл

@ -1,16 +1,21 @@
id: 12225f50-9d41-4b78-8269-cc127d98654c
name: Top 100 malicious email senders
description: |
This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days
This query helps reviewing top 100 malicious senders
description-detailed: |
This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize total=count() by SenderMailFromAddress
| top 100 by total
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml
Просмотреть файл

@ -2,14 +2,19 @@ id: cadf6e78-2a9a-4fb5-b788-30a592d699d3
name: Top 100 senders
description: |
This query helps reviewing top 100 senders in your organization in last 30 days
description-detailed: |
This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| summarize mailCountBySender = count() by SenderMailFromAddress
| top 100 by mailCountBySender
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml
Просмотреть файл

@ -2,14 +2,19 @@ id: 95b0c7ed-2853-4343-80a9-ab076cf31e51
name: Zero day threats
description: |
This query helps reviewing zero day threats via URL and file detonations
description-detailed: |
This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation"
| count
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml
Просмотреть файл

@ -1,7 +1,9 @@
id: 439f817c-845c-4dda-a8d9-5c1f6831cee9
name: Email containing malware accessed on a unmanaged device
description: |
In this query, we looking for emails containing malware accessed on a unmanaged device
In this query, we are looking for emails containing malware accessed on a unmanaged device
description-detailed: |
In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
@ -9,7 +11,9 @@ requiredDataConnectors:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Malware
- Execution
relevantTechniques:
- T1204
query: |
EmailPostDeliveryEvents
| where ActionType == "Malware ZAP"
@ -22,4 +26,5 @@ query: |
) on InternetMessageId
| where isnotempty(SessionId)
| join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml
Просмотреть файл

@ -1,15 +1,20 @@
id: 07c85687-6dee-4266-9345-1e34de85d989
name: Email containing malware sent by an internal sender
description: |
In this query, we looking for emails containing malware attachment sent by an internal sender
In this query, we are looking for emails containing malware attachment sent by an internal sender
description-detailed: |
In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Malware
- LateralMovement
relevantTechniques:
- T1534
query: |
EmailEvents
| where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
| where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml
Просмотреть файл

@ -2,13 +2,17 @@ id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea
name: Email malware detection report
description: |
This query helps reviewing email malware detection cases
description-detailed: |
This query helps reviewing email malware detection cases in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -19,3 +23,4 @@ query: |
| extend Case = array_length(ThreatFamily_wih_Attachment)
| project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment
| sort by Case desc
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: a3619c75-a927-4dbb-91cc-9adc55e95bda
name: Malware detections by detection methods
description: |
This query helps reviewing malware detections by detection methods
description-detailed: |
This query helps reviewing malware detections by detection methods in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -25,3 +29,4 @@ query: |
)
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml
Просмотреть файл

@ -2,14 +2,20 @@ id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8
name: Admin overrides
description: |
This query helps in reviewing malicious emails allowed due to admin overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where DeliveryLocation == "Inbox/folder"
| where isnotempty(ThreatTypes) and OrgLevelAction == "Allow"
| count
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml
Просмотреть файл

@ -2,13 +2,19 @@ id: c73ae295-d120-4f79-aaed-de005f766ad2
name: Top policies performing admin overrides
description: |
This query helps in reviewing top policies for admin overrides (Allow/Block)
description-detailed: |
This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow" //"Block"
| summarize count() by OrgLevelPolicy
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml
Просмотреть файл

@ -2,13 +2,19 @@ id: fe2cb53e-4eb3-4676-87c1-f80d2813f542
name: Top policies performing user overrides
description: |
This query helps in reviewing top policies for user overrides (Allow/Block)
description-detailed: |
This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block"
| summarize count() by UserLevelPolicy
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml
Просмотреть файл

@ -2,14 +2,20 @@ id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9
name: User overrides
description: |
This query helps in reviewing malicious emails allowed due to user overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EmailEvents
| where DeliveryLocation == "Inbox/folder"
| where isnotempty(ThreatTypes) and UserLevelAction == "Allow"
| count
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml
Просмотреть файл

@ -1,6 +1,8 @@
id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808
name: Appspot Phishing Abuse
description: |
This query helps surface phishing campaigns associated with Appspot abuse.
description-detailed: |
This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.
This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800
Reference - https://twitter.com/MsftSecIntel
@ -10,7 +12,9 @@ requiredDataConnectors:
- EmailUrlInfo
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
// Detect URLs with a subdomain on appspot.com
@ -23,4 +27,5 @@ query: |
| where Url has RecipientEmailAddress
// Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
or Url has base64_encode_tostring(RecipientEmailAddress)
| project-away Timestamp1, NetworkMessageId1, ReportId1
| project-away Timestamp1, NetworkMessageId1, ReportId1
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml
Просмотреть файл

@ -1,13 +1,17 @@
id: 9d59be10-54d9-478b-b669-fb4eb8517cd0
name: Phish detections by detection methods
description: |
This query helps reviewing detections done by some of the most frequent detection technologies in the last 7 days
This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days
description-detailed: |
This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(7d)
@ -32,3 +36,4 @@ query: |
)
| extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4)
| project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish
version: 1.0.0

12
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml
Просмотреть файл

@ -1,13 +1,18 @@
id: 25150085-015a-4673-9b67-bc6ad9475500
name: Campaign with randomly named attachments
description: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients, typically more than 50, can potentially indicate a QR code phishing campaign
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
description-detailed: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where Timestamp > ago(7d)
@ -15,4 +20,5 @@ query: |
| where isnotempty(FileName)
| extend firstFourFileName = substring(FileName, 0, 4)
| summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
| where FirstFourFilesCount >= 10
| where FirstFourFilesCount >= 10
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml
Просмотреть файл

@ -2,12 +2,17 @@ id: 9b086a51-e396-4718-90d7-f7b3646e6581
name: Campaign with suspicious keywords
description: |
In this detection, we track emails with suspicious keywords in subjects.
description-detailed: |
In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingKeywords = ()
{pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
@ -16,4 +21,5 @@ query: |
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| where Subject has_any (PhishingKeywords())
| where Subject has_any (PhishingKeywords())
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml
Просмотреть файл

@ -2,13 +2,18 @@ id: 516046e8-a460-4f7b-86eb-421d3a9cdff1
name: Custom detection-Emails with QR from non-prevalent senders
description: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
description-detailed: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let QRCode_emails = EmailUrlInfo
| where Timestamp > ago (2d)
@ -42,4 +47,5 @@ query: |
| where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
| join kind=inner senders_NMIDs on NetworkMessageId
| project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
QRCode_emails_from_non_prevalent_senders
QRCode_emails_from_non_prevalent_senders
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml
Просмотреть файл

@ -2,13 +2,18 @@ id: 594fe5a1-53b6-466b-86df-028366c3994e
name: Emails delivered having URLs from QR codes
description: |
In this query, we hunt for inbound emails delivered having URLs from QR codes
description-detailed: |
In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -16,4 +21,5 @@ query: |
| where DeliveryAction == "Delivered"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml
Просмотреть файл

@ -2,13 +2,18 @@ id: 706b711a-7622-40f1-9ebb-331d1a0ff697
name: Emails with QR codes and suspicious keywords in subject
description: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let SubjectKeywords = ()
{pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");};
@ -18,4 +23,5 @@ query: |
| where DeliveryAction == "Delivered"
| where Subject has_any (SubjectKeywords)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where UrlLocation == "QRCode"
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml
Просмотреть файл

@ -2,13 +2,18 @@ id: f708c866-073a-4107-a60b-ba6f86e54caa
name: Emails with QR codes from non-prevalent sender
description: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let senderprevalence =
EmailEvents
@ -27,4 +32,5 @@ query: |
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| distinct SenderFromAddress,Url,NetworkMessageId;
QR_from_non_prevalent
QR_from_non_prevalent
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml
Просмотреть файл

@ -2,13 +2,17 @@ id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525
name: Hunting for sender patterns
description: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
description-detailed: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingSenderDisplayNames = ()
{
@ -39,4 +43,5 @@ query: |
| distinct SenderFromDomain);
suspiciousEmails
| where SenderFromDomain !in (prevalentSenders)
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml
Просмотреть файл

@ -1,13 +1,17 @@
id: 8c852f12-499f-499b-afc1-25c50aa9b462
name: Hunting for user signals-clusters
description: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify th escope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
description-detailed: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let suspiciousClusters = EmailEvents
| where Timestamp > ago(7d)
@ -18,4 +22,5 @@ query: |
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where EmailClusterId in (suspiciousClusters)
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml
Просмотреть файл

@ -2,13 +2,18 @@ id: f6354c94-3a95-4235-8530-414f016a7bf6
name: Inbound emails with QR code URLs
description: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
description-detailed: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -16,4 +21,5 @@ query: |
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
| render timechart
| render timechart
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml
Просмотреть файл

@ -1,13 +1,17 @@
id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310
name: Personalized campaigns based on the first few keywords
description: |
In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
@ -17,4 +21,5 @@ query: |
| extend words = split(Subject," ")
| project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
| where SubjectsCount >= 10
| where SubjectsCount >= 10
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml
Просмотреть файл

@ -1,13 +1,17 @@
id: 54d3455d-27e0-4ceb-99f9-375abd620151
name: Personalized campaigns based on the last few keywords
description: |
In this detection, we track emails with personalized subjects. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
@ -17,4 +21,5 @@ query: |
| extend words = split(Subject," ")
| project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
| where SubjectsCount >= 10
| where SubjectsCount >= 10
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml
Просмотреть файл

@ -1,13 +1,18 @@
id: 8d298b5c-feca-4add-bd42-e43e0a317a88
name: Risky sign-in attempt from a non-managed device
description: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device.
description-detailed: |
In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
AADSignInEventsBeta
| where Timestamp > ago(7d)
@ -22,4 +27,5 @@ query: |
| where isnotempty(AccountObjectId)
| where isempty(DeviceName)
| where isempty(AadDeviceId)
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
| project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml
Просмотреть файл

@ -1,14 +1,19 @@
id: 3131d0ba-32c9-483e-a25c-82e26a07e116
name: Suspicious sign-in attempts from QR code phishing campaigns
description: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
description-detailed: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let successfulRiskySignIn = materialize(AADSignInEventsBeta
| where Timestamp > ago(1d)
@ -38,4 +43,5 @@ query: |
| extend items = folders.FolderItems
| mv-expand items
| extend InternetMessageId = tostring(items.InternetMessageId)
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml
Просмотреть файл

@ -1,14 +1,18 @@
id: a12cac64-ea6d-46d4-91a6-262b165fb9ad
name: Group quarantine release
description: |
This query helps in reviewing group released messages by detection type. Useful to see what is leading to the largest number of messages being released.
This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
description-detailed: |
This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
@ -17,3 +21,4 @@ query: |
| join EmailEvents on NetworkMessageId
| summarize count() by DetectionMethods
| order by count_ desc
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml
Просмотреть файл

@ -1,14 +1,18 @@
id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc
name: High Confidence Phish Released
description: |
This query shows information about high confidence phish email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
This query shows information about high confidence phish email that has been released from the Quarantine.
description-detailed: |
This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
@ -19,4 +23,5 @@ query: |
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
| order by ReleaseTime asc
version: 1.0.0

12
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml
Просмотреть файл

@ -1,14 +1,19 @@
id: 6f96f6d7-d972-421e-a59f-6b9a8de81324
name: Quarantine Release Email Details
description: |
This query shows information about email that has been released from the Quarantine. The details include the time each email was released and who it was released by.
This query shows information about email that has been released from the Quarantine in Defender for Office 365.
description-detailed: |
This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
@ -18,4 +23,5 @@ query: |
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
| order by ReleaseTime asc
version: 1.0.0

10
Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml
Просмотреть файл

@ -1,16 +1,22 @@
id: 9f135aef-ad25-4df2-bdab-8399978a36a2
name: Quarantine release trend
description: |
This query helps reviewing quarantine release trend
This query helps reviewing quarantine release trend in Defender for Office 365
description-detailed: |
This query helps reviewing quarantine release trend in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| summarize count() by bin(Timestamp, 1d)
| project-rename Releases = count_
| render timechart with (title="Qurantine Releases by Day")
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml
Просмотреть файл

@ -1,6 +1,9 @@
id: 99713387-9d61-49eb-8edc-f51153d8bb01
name: Listing Email Remediation Actions via Explorer
description: |
Listing Email Remediation Actions performed via Explorer in Defender for Office 365
description-detailed: |
Listing Email Remediation Actions performed via Explorer in Defender for Office 365
- Track each cases with Network Message ID
- Sort the users who got a number of actions
- e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items
@ -8,7 +11,10 @@ requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics: []
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
@ -23,4 +29,5 @@ query: |
| extend MoveToDelete_case = array_length(MoveToDelete_NetworkID)
| extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case
| project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID
| order by Sum_case desc
| order by Sum_case desc
version: 1.0.0

11
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml
Просмотреть файл

@ -2,19 +2,23 @@ id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c
name: Display Name - Spoof and Impersonation
description: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
description-detailed: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(24hrs)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occured.
| where count_ > 3 // ensuring that some level of communications has occurred.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
@ -27,4 +31,5 @@ query: |
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml
Просмотреть файл

@ -1,6 +1,8 @@
id: cdc4da1c-64a1-4941-be59-1f5cc85481ab
name: referral-phish-emails
description: |
Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
description-detailed: |
The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
@ -8,7 +10,9 @@ requiredDataConnectors:
- EmailEvents
- EmailUrlInfo
tactics:
- Credential Access
- InitialAccess
relevantTechniques:
- T1566
query: |
let EmailAddresses = pack_array
('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
@ -20,3 +24,4 @@ query: |
| extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
| where SenderFromDomain == RecipientDomain
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml
Просмотреть файл

@ -2,14 +2,20 @@ id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e
name: Spoof and impersonation detections by sender IP
description: |
This query helps reviewing count of spoof and impersonation detections done per sender IP
description-detailed: |
This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4
| summarize count() by SenderIPv4
version: 1.0.0

8
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml
Просмотреть файл

@ -2,15 +2,21 @@ id: 011c3d48-f6ca-405f-9763-66c7856ad2ba
name: Spoof and impersonation phish detections
description: |
This query helps reviewing count of phish detections done by spoof detection methods
description-detailed: |
This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
| evaluate bag_unpack(DT)
| summarize count() by tostring(Phish)
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml
Просмотреть файл

@ -2,13 +2,17 @@ id: e90345b3-439c-44e1-a85d-8ae84ad9c65b
name: User not covered under display name impersonation
description: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
description-detailed: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- IdentityInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let display_names =
IdentityInfo
@ -21,3 +25,4 @@ query: |
| lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName
| where SenderDisplayName != ""
| summarize by SenderDisplayName
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49
name: Admin reported submissions
description: |
This query helps reviewing admin reported email submissions
description-detailed: |
This query helps reviewing admin reported email submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -15,3 +19,4 @@ query: |
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29
| where ActionType == "AdminSubmission"
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: 1c390fd7-2668-4445-9b7d-055f3851be5f
name: Status of submissions
description: |
This query helps reviewing status of submissions
description-detailed: |
This query helps reviewing status of submissions in Defender for Office 365.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -18,3 +22,4 @@ query: |
| where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
| summarize count() by tostring(SubmissionState)
| sort by count_
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: 2d2351ca-e9a6-4286-b445-a9268189c1dc
name: Top submitters of admin submissions
description: |
This query helps reviewing top submitters of admin submissions
description-detailed: |
This query helps reviewing top submitters of admin submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -18,3 +22,4 @@ query: |
| where ActionType == "AdminSubmission"
| summarize count() by tostring(UserKey)
| sort by count_
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f
name: Top submitters of user submissions
description: |
This query helps reviewing top submitters of user submissions
description-detailed: |
This query helps reviewing top submitters of user submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -18,3 +22,4 @@ query: |
| where ActionType == "UserSubmission"
| summarize count() by tostring(UserKey)
| sort by count_
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: 0bd33643-c517-48b1-8211-25a7fbd15a50
name: User reported submissions
description: |
This query helps reviewing user reported email submissions
description-detailed: |
This query helps reviewing user reported email submissions in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where Timestamp > ago(30d)
@ -15,3 +19,4 @@ query: |
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState
| where Record == 29
| where ActionType == "UserSubmission"
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml
Просмотреть файл

@ -1,13 +1,17 @@
id: de480ca4-4095-4fef-b3e7-2a3f17f24e78
name: Attacked more than x times average
description: |
This query helps reviewing count of users attacked more than x times average. Update the value of x in the query to get desired results.
This query helps reviewing count of users attacked more than x times average.
description-detailed: |
This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let AverageThreatPerRecipient = toscalar(EmailEvents
| where DetectionMethods != ""
@ -17,3 +21,4 @@ query: |
| where DetectionMethods != ""
| summarize total=count() by RecipientEmailAddress
| where tolong(total) >= 1*AverageThreatPerRecipient // update "1"
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml
Просмотреть файл

@ -2,15 +2,20 @@ id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27
name: Malicious mails by sender IPs
description: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish
description-detailed: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize count() by SenderIPv4 //SenderIPv6
| sort by count_
version: 1.0.0

9
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml
Просмотреть файл

@ -1,14 +1,18 @@
id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25
name: Top 10 URL domains attacking organization
description: |
This query helps reviewing list of top 10 URL domains attacking organization
This query helps reviewing list of top 10 URL domains attacking the organization
description-detailed: |
This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where ThreatTypes != ""
@ -20,3 +24,4 @@ query: |
| summarize total=count() by UrlDomain
| top 10 by total
| render columnchart
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58
name: Top 10% of most attacked users
description: |
This query helps reviewing the list of top 10% of most attacked users
description-detailed: |
This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
let topTargeted = toscalar( EmailEvents
| where DetectionMethods != ""
@ -18,3 +22,4 @@ query: |
| summarize total=count() by RecipientEmailAddress
| where total >= topTargeted
| order by total desc
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml
Просмотреть файл

@ -2,15 +2,20 @@ id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2
name: Top external malicious senders
description: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| summarize count() by SenderFromAddress
| sort by count_
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml
Просмотреть файл

@ -2,15 +2,20 @@ id: a1664330-810a-473b-b354-acbaa751a294
name: Top targeted users
description: |
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
| summarize count() by RecipientEmailAddress
| sort by count_
version: 1.0.0

7
Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml
Просмотреть файл

@ -2,12 +2,16 @@ id: d24e9c4a-b72a-4a85-89cd-83760ae61155
name: End user malicious clicks
description: |
This query helps reviewing list of top users click on Phis URLs
description-detailed: |
This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
tactics:
- Initial access
- InitialAccess
relevantTechniques:
- T1566
query: |
UrlClickEvents
| where ThreatTypes contains "Phish"
@ -17,3 +21,4 @@ query: |
| extend ErrorPage = ActionType has_any('UrlErrorPage')
| summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by AccountUpn
| sort by Blocked desc
version: 1.0.0

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше