deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Writing tweaks for AH topics

Browse Source
This commit is contained in:
lomayor 2019-10-04 13:35:23 -07:00
parent 6ad7f7a414
commit 266284a6ae
2 changed files with 16 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -25,25 +25,23 @@ ms.date: 09/25/2019
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Performance best practices ## Optimize query performance
Apply the following best practices to get results faster and avoid timeouts while running complex queries. Apply the recommendations to get results faster and avoid timeouts while running complex queries:
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`. - When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
- Use time filters first. Ideally, limit your queries to 7 days. - Use time filters first. Ideally, limit your queries to seven days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
- Use the `has` operator over `contains` when looking for full tokens. - Use the `has` operator over `contains` when looking for full tokens.
- Look in a specific column rather than running full text searches across all columns. - Look in a specific column rather than running full text searches across all columns.
- When joining tables, specify the table with fewer rows first. - When joining tables, specify the table with fewer rows first.
- `project` only the necessary columns from tables you have joined. - `project` only the necessary columns from tables you've joined.
>[!TIP] >[!TIP]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices). >For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
## Query tips and pitfalls ## Query tips and pitfalls
### Using process IDs ### Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
When you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
@ -56,20 +54,19 @@ NetworkCommunicationEvents
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Using command lines ### Queries with command lines
Command lines can vary. When applicable, filter on file names and do fuzzy matching. Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could specify the process image file name without a path, with the full path, without the file extension, using environment variables, or with quotes. In addition, the attacker can also change the order of some parameters or add multiple quotes and spaces. There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
To create more durable queries using command lines, we recommended the following guidelines: To create more durable queries using command lines, apply the following practices:
- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command line field. - Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. - When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs` - Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones. - To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
``` ```
// Non-durable query - do not use // Non-durable query - do not use

6
windows/security/threat-protection/microsoft-defender-atp/overview-hunting.md
View File

@ -25,7 +25,7 @@ ms.topic: article
Advanced hunting provides access to 30 days of raw data through a flexible query-based interface, allowing you to proactively explore events in your environment and locate interesting indicators and entities. This flexible access to data enables unconstrained hunting for both known and potential threats. Advanced hunting provides access to 30 days of raw data through a flexible query-based interface, allowing you to proactively explore events in your environment and locate interesting indicators and entities. This flexible access to data enables unconstrained hunting for both known and potential threats.
With custom detection rules, you can also leverage Advanced hunting queries to proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. With custom detection rules, you can also use Advanced hunting queries to proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines.
## Get started with Advanced hunting ## Get started with Advanced hunting
@ -33,14 +33,14 @@ We recommend going through several steps to quickly get up and running with Adva
| Learning goal | Description | Resource | | Learning goal | Description | Resource |
|--|--|--| |--|--|--|
| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/en-us/azure/kusto/query/) and thus supports the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting.md) | | **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/en-us/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting.md) |
| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-reference.md) | | **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-reference.md) |
| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) | | **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | [Custom detections overview](overview-custom-detections.md) |
## Get help as you write queries ## Get help as you write queries
Take advantage of the following functionality to write queries faster: Take advantage of the following functionality to write queries faster:
- **Autosuggest** — as you write queries, Advanced hunting provides suggestions.. - **Autosuggest** — as you write queries, Advanced hunting provides suggestions.
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor. - **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
## Drilldown from query results ## Drilldown from query results