diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 7ce887afa8..7209a654db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # Advanced hunting query best practices diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 9134afc574..8956d5c3a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 82bc19d642..53faa19f58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceFileEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index fe1f719c73..b9c338f0c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceImageLoadEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index f05d8d0382..e51b88cf9a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceInfo diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 689d68d6e6..9814bdbe14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceLogonEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index fb91c21fd2..17ba4f7f0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceNetworkEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index ba7cf147bf..2e84b08364 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceNetworkInfo diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 7b656947ec..6fdba4c948 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceProcessEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index 8dfc835e93..c0b36b2df8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # DeviceRegistryEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 337c1fafca..3570732cf5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # Learn the advanced hunting query language @@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example: ```kusto -// Finds PowerShell execution events that could involve a download. -DeviceProcessEvents +// Finds PowerShell execution events that could involve a download +union DeviceProcessEvents, DeviceNetworkEvents | where Timestamp > ago(7d) -| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") -| where ProcessCommandLine has "Net.WebClient" - or ProcessCommandLine has "DownloadFile" - or ProcessCommandLine has "Invoke-WebRequest" - or ProcessCommandLine has "Invoke-Shellcode" - or ProcessCommandLine contains "http:" -| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine +// Pivoting on PowerShell processes +| where FileName in~ ("powershell.exe", "powershell_ise.exe") +// Suspicious commands +| where ProcessCommandLine has_any("WebClient", + "DownloadFile", + "DownloadData", + "DownloadString", + "WebRequest", + "Shellcode", + "http", + "https") +| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, +FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` This is how it will look like in advanced hunting. -![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png) +![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png) -### Describe the query and specify the table to search -The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization. + +### Describe the query and specify the tables to search +A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. ```kusto -// Finds PowerShell execution events that could involve a download. -DeviceProcessEvents +// Finds PowerShell execution events that could involve a download ``` -The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed. +The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. +```kusto +union DeviceProcessEvents, DeviceNetworkEvents +``` ### Set the time range -The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. +The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. ```kusto | where Timestamp > ago(7d) ``` -### Search for specific executable files -The time range is immediately followed by a search for files representing the PowerShell application. -```kusto -| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") +### Check specific processes +The time range is immediately followed by a search for process file names representing the PowerShell application. + ``` -### Search for specific command lines -Afterwards, the query looks for command lines that are typically used with PowerShell to download files. - -```kusto -| where ProcessCommandLine has "Net.WebClient" - or ProcessCommandLine has "DownloadFile" - or ProcessCommandLine has "Invoke-WebRequest" - or ProcessCommandLine has "Invoke-Shellcode" - or ProcessCommandLine contains "http:" +// Pivoting on PowerShell processes +| where FileName in~ ("powershell.exe", "powershell_ise.exe") ``` -### Select result columns and length -Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process. + +### Search for specific command strings +Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell. ```kusto -| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine +// Suspicious commands +| where ProcessCommandLine has_any("WebClient", + "DownloadFile", + "DownloadData", + "DownloadString", + "WebRequest", + "Shellcode", + "http", + "https") +``` + +### Customize result columns and length +Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. + +```kusto +| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, +FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` -Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results. +Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. + +![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png) + +>[!TIP] +>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md) ## Learn common query operators for advanced hunting diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index b24bb4db00..de3d5741a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 --- # Use shared queries in advanced hunting diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png new file mode 100644 index 0000000000..7ef27c4d87 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png new file mode 100644 index 0000000000..f72fa6a68d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG deleted file mode 100644 index 57337cd9ab..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG and /dev/null differ