Sample queries for Advanced hunting in Microsoft 365 Defender

Перейти к файлу

tali-ash efa17a600b Update README.md		2022-02-17 10:59:25 +02:00
Campaigns	Create Devices with Log4j vulnerability alerts and additional other alert related context.md	2022-01-11 15:46:16 -08:00
Collection	title updates, see-also, typos	2021-03-09 17:56:58 -05:00
Command and Control	Update C2-NamedPipe.md	2021-08-17 20:44:30 +02:00
Credential Access	New AHQ	2021-03-05 10:32:46 -08:00
Defense evasion	title updates, see-also, typos	2021-03-09 17:56:58 -05:00
Delivery	Update Qakbot Craigslist Domains.md	2021-11-02 12:45:44 -07:00
Discovery	title updates, see-also, typos	2021-03-09 17:56:58 -05:00
Email Queries	Update JNLP-File-Attachment.md	2021-08-12 15:26:51 -07:00
Execution	Create Detect PowerShell v2 Downgrade.md	2021-04-16 12:01:53 -04:00
Exfiltration	Update detect-exfiltration-after-termination.md	2022-01-16 17:04:25 +02:00
Exploits	Update CVE-2021-36934 usage detection.md	2022-01-16 17:06:27 +02:00
Fun	Update Make FolderPath Vogon Poetry.md	2020-09-01 14:02:39 -04:00
General queries	Update Events surrounding alert.txt	2022-01-19 17:12:13 +02:00
Impact	Merge pull request #231 from martyav/ransomware-healthcare-misc	2020-11-11 13:28:21 +02:00
Initial access	Update Check for Maalware Baazar (abuse.ch) hashes in your mail flow.md	2022-01-16 17:12:54 +02:00
Lateral Movement	Change CSL to TXT	2021-02-22 15:11:44 +02:00
M365-PowerBi Dashboard	Add files via upload	2021-06-20 08:40:59 +03:00
Network	Change CSL to TXT	2021-02-22 15:11:44 +02:00
Notebooks	Add files via upload	2021-04-26 18:57:58 +03:00
Persistence	title updates, see-also, typos	2021-03-09 17:56:58 -05:00
Privilege escalation	Rename SAM-Name-Changes-CVE-2021-42278 to SAM-Name-Changes-CVE-2021-42278.md	2021-12-16 09:54:50 +02:00
Protection events	Update ExploitGuardBlockOfficeChildProcess.txt	2022-01-19 17:13:26 +02:00
Ransomware	Update IcedId attachments.md	2022-01-16 17:15:32 +02:00
TVM	Update devices_with_vuln_and_users_received_payload.md	2022-01-19 17:14:34 +02:00
Troubleshooting	Updating URL list	2021-09-17 10:33:58 -04:00
Webcasts	Create l33tspeak 11 Oct 2021 - externaldata and query partitioning.csl	2021-10-11 11:25:09 -04:00
.gitignore	Initial commit	2018-03-18 05:07:43 -07:00
00-query-submission-template.md	Update 00-query-submission-template.md	2021-02-15 15:11:31 +02:00
CODE_OF_CONDUCT.md	Create CODE_OF_CONDUCT.md	2020-04-22 15:48:37 +03:00
LICENSE	Initial commit	2018-03-18 05:07:47 -07:00
MTPAHCheatSheetv01-dark.pdf	Add files via upload	2020-07-06 13:45:51 +04:00
MTPAHCheatSheetv01-light.pdf	Add files via upload	2020-07-06 13:45:51 +04:00
README.md	Update README.md	2022-02-17 10:59:25 +02:00
SECURITY.md	Create SECURITY.md	2020-04-22 15:49:02 +03:00

README.md

page_type

languages

products

description

sample

kusto

Microsoft 365 Defender

Microsoft 365 Defender repository for Advanced Hunting

Deprecated

We moved to Microsoft threat protection community, the unified Microsoft Sentinel and Microsoft 365 Defender repository.

Microsoft SIEM and XDR Community provides a forum for the community members, aka, Threat Hunters, to join in and submit these contributions via GitHub Pull Requests or contribution ideas as GitHub Issues. Hunting queries for Microsoft 365 Defender will provide value to both Microsoft 365 Defender and Microsoft Sentinel products, hence a multiple impact for a single contribution. These contributions can be just based on your idea of the value to enterprise your contribution provides or can be from the GitHub open issues list or even enhancements to existing contributions.

Contribute your queries to the Microsoft 365 Defender folder in the Hunting Queries section.
Specifics on what is required for Hunting queries is in the Query Style Guide.
Webcasts content can be found in the Tutorials folder.
Power BI example can be found in the Tools folder.