Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
- Microsoft Defender for Endpoint
Boost your knowledge of advanced hunting quickly with Tracking the adversary, a webcast series for new security analysts and seasoned threat hunters. The series guides you through the basics all the way to creating your own sophisticated queries. Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience.
| Title | Description | Watch | Queries |
|---|---|---|---|
| Episode 1: KQL fundamentals | This episode covers the basics of advanced hunting in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators. | YouTube (54:14) | Text file |
| Episode 2: Joins | Continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and understand the nuances of the default Kusto innerunique join. |
YouTube (53:33) | Text file |
| Episode 3: Summarizing, pivoting, and visualizing data | Now that you’ve learned to filter, manipulate, and join data, it’s time to summarize, quantify, pivot, and visualize. This episode discusses the summarize operator and various calculations, while introducing additional tables in the schema. You’ll also learn to turn datasets into charts that can help you extract insight. |
YouTube (48:52) | Text file |
| Episode 4: Let’s hunt! Applying KQL to incident tracking | In this episode, you learn to track some attacker activity. We use our improved understanding of Kusto and advanced hunting to track an attack. Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. | YouTube (59:36) | Text file |
Get more expert training with L33TSP3AK: Advanced hunting in Microsoft 365 Defender, a webcast series for analysts looking to expand their technical knowledge and practical skills in conducting security investigations using advanced hunting in Microsoft 365 Defender.
| Title | Description | Watch | Queries |
|---|---|---|---|
| Episode 1 | In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. | YouTube (56:34) | Text file |
| Episode 2 | In this episode, you will learn how to investigate and respond to suspicious or unusual logon locations and data exfiltration via inbox forwarding rules. Sebastien Molendijk, Senior Program Manager for Cloud Security CxE, shares how to use advanced hunting to investigate multi-stage incidents with Microsoft Defender for Cloud Apps data. | YouTube (57:07) | Text file |
| Episode 3 | In this episode we will cover the latest improvements to advanced hunting, how to import an external data source into your query, and how to use partitioning to segment large query results into smaller result sets to avoid hitting API limits. | YouTube (40:59) | Text file |
How to use the CSL file
Before starting an episode, access the corresponding text file on GitHub and copy its contents to the advanced hunting query editor. As you watch an episode, you can use the copied contents to follow the speaker and run queries.
The following excerpt from a text file containing the queries shows a comprehensive set of guidance marked as comments with //.
// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp
The same text file includes queries before and after the comments as shown below. To run a specific query with multiple queries in the editor, move the cursor to that query and select Run query.
DeviceLogonEvents
| count
// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp
CloudAppEvents
| take 100
| sort by Timestamp desc