deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #650 from MicrosoftDocs/lomayor-mdatp-ah-best-practice

Browse Source 
Update advanced-hunting-best-practices.md
This commit is contained in:
lomayor
2019-07-09 11:20:04 -07:00
committed by GitHub
parent a61fd34839 881b714b52
commit 68907dfa34
1 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -18,7 +18,7 @@ ms.topic: conceptual
ms.date: 04/24/2018
---
# Advanced hunting query best practices Microsoft Defender ATP
# Advanced hunting query best practices in Microsoft Defender ATP
**Applies to:**
@ -28,23 +28,26 @@ ms.date: 04/24/2018
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/).
- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter.
- Use 'has' keyword over 'contains' when looking for full tokens.
- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
- Use time filters first. Ideally, limit your queries to 7 days.
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
- Use the `has` operator over `contains` when looking for full tokens.
- Use looking in specific column rather than using full text search across all columns.
- When joining between two tables - choose the table with less rows to be the first one (left-most).
- When joining between two tables - project only needed columns from both sides of the join.
- When joining between two tables, specify the table with fewer rows first.
- When joining between two tables, project only needed columns from both sides of the join.
>[!Tip]
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices).
## Query tips and pitfalls
### Unique Process IDs
Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
### Using process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime)
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares.
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
Example query:
```
@ -54,13 +57,13 @@ NetworkCommunicationEvents
| where RemoteIPCount > 10
```
The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID.
The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
### Using command line queries
### Using command lines
Command lines may vary - when applicable, filter on file names and do fuzzy matching.
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task.
There are numerous ways to construct a command line to accomplish a task.
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
@ -68,7 +71,7 @@ To create more durable queries using command lines, we recommended the following
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs'
- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
@ -90,7 +93,4 @@ ProcessCreationEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)