Advanced hunting example for Microsoft Defender for Office 365

0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender

Want to get started searching for email threats using advanced hunting? Try this:

The Getting Started section of the Microsoft Defender for Office 365 article has logical early configuration chunks that look like this:

  1. Configure everything with ‘Anti’ in the name.
    • Anti-malware
    • Anti-phishing
    • Anti-spam
  2. Set up everything with ‘Safe’ in the name.
    • Safe Links
    • Safe Attachments
  3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams).
  4. Protect with zero-Hour auto purge.

Along with a link to jump right in and get configuration going on Day 1.

The last step in Getting Started is protecting users with Zero-Hour auto purge, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.

Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps here, under Hunting > Advanced Hunting.

  1. On the Advanced Hunting page, click Query.
  2. Copy the query below into the query window.
  3. Select Run query.
Kusto

EmailPostDeliveryEvents 
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress 
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn, 
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType

The Advanced hunting page (under Hunting) with Query selected at the top of the query panel, and running a Kusto query to capture ZAP actions over the last 7 days.

The data from this query will appear in the results panel below the query itself. Results include information like ‘DeviceName’, ‘AccountDisplayName’, and ‘ZapTime’ in a customizable result set. Results can also be exported for your records. If the query is one you’ll need again, select Save > Save As and add the query to your list of queries, shared, or community queries.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 20 times, 1 visits today)
Tagged: