The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
- Microsoft 365 Defender
Want to get started searching for email threats using advanced hunting? Try this:
- Configure everything with ‘Anti’ in the name.
- Set up everything with ‘Safe’ in the name.
- Safe Links
- Safe Attachments
- Defend the workloads (ex. SharePoint Online, OneDrive, and Teams).
- Protect with zero-Hour auto purge.
Along with a link to jump right in and get configuration going on Day 1.
The last step in Getting Started is protecting users with Zero-Hour auto purge, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.
Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps here, under Hunting > Advanced Hunting.
- On the Advanced Hunting page, click Query.
- Copy the query below into the query window.
- Select Run query.
EmailPostDeliveryEvents | where Timestamp > ago(7d) //List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png | where ActionType has "ZAP" and ActionResult == "Error" | project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress //Get logon activity of recipients using RecipientEmailAddress and AccountUpn | join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn | where Timestamp between ((ZapTime-24h) .. (ZapTime+24h)) //Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon | project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn, LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
The data from this query will appear in the results panel below the query itself. Results include information like ‘DeviceName’, ‘AccountDisplayName’, and ‘ZapTime’ in a customizable result set. Results can also be exported for your records. If the query is one you’ll need again, select Save > Save As and add the query to your list of queries, shared, or community queries.