mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 23:37:22 +00:00
AH refresh
This commit is contained in:
lomayor
parent
17b7365542
commit
cf06fae5d2
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
|
||||
The AlertEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,14 +26,14 @@ ms.date: 09/25/2019
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
|
||||
|
||||
## Performance best practices
|
||||
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
|
||||
- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set.
|
||||
Apply the following best practices to get results faster and avoid timeouts while running complex queries.
|
||||
- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
|
||||
- Use time filters first. Ideally, limit your queries to 7 days.
|
||||
- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
|
||||
- Use the `has` operator over `contains` when looking for full tokens.
|
||||
- Use looking in specific column rather than using full text search across all columns.
|
||||
- When joining between two tables, specify the table with fewer rows first.
|
||||
- When joining between two tables, project only needed columns from both sides of the join.
|
||||
- Look in a specific column rather than running full text searches across all columns.
|
||||
- When joining tables, specify the table with fewer rows first.
|
||||
- `project` only the necessary columns from tables you have joined.
|
||||
|
||||
>[!TIP]
|
||||
>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
|
||||
@ -41,14 +41,12 @@ The following best practices serve as a guideline of query performance best prac
|
||||
## Query tips and pitfalls
|
||||
|
||||
### Using process IDs
|
||||
Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process.
|
||||
To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
|
||||
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time.
|
||||
|
||||
So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
|
||||
When you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`)
|
||||
|
||||
The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
|
||||
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
|
||||
|
||||
Example query:
|
||||
```
|
||||
NetworkCommunicationEvents
|
||||
| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
|
||||
@ -62,16 +60,14 @@ The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreatio
|
||||
|
||||
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
|
||||
|
||||
There are numerous ways to construct a command line to accomplish a task.
|
||||
|
||||
For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more.
|
||||
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could specify the process image file name without a path, with the full path, without the file extension, using environment variables, or with quotes. In addition, the attacker can also change the order of some parameters or add multiple quotes and spaces.
|
||||
|
||||
To create more durable queries using command lines, we recommended the following guidelines:
|
||||
|
||||
- Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field.
|
||||
- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command line field.
|
||||
- When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
|
||||
- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs`
|
||||
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones.
|
||||
- To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
|
||||
|
||||
The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
|
||||
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
|
||||
The FileCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
|
||||
The ImageLoadEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
|
||||
The LogonEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
|
||||
The MachineInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
|
||||
The MachineNetworkInfo table in the [Advanced hunting](overview-hunting.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
|
||||
The MiscEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
|
||||
The NetworkCommunicationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
|
||||
The ProcessCreationEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -27,7 +27,7 @@ ms.date: 09/25/2019
|
||||
|
||||
## Schema tables
|
||||
|
||||
The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
|
||||
The [Advanced hunting](overview-hunting.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
|
||||
|
||||
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
|
||||
|
||||
|
||||
@ -26,9 +26,9 @@ ms.date: 07/24/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
|
||||
The RegistryEvents table in the [Advanced hunting](overview-hunting.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
|
||||
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
|
||||
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Use shared queries in advanced hunting
|
||||
description: Take advantage of shared advanced hunting queries. Share your queries to the public and to your organization.
|
||||
description: Take advantage of shared advanced hunting queries. Share your queries to the public or to your organization.
|
||||
keywords: advanced hunting, atp query, query atp data, atp telemetry, events, events telemetry, kusto, github repo
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -25,7 +25,7 @@ ms.date: 09/25/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
||||
|
||||
Advanced hunting queries can be shared among users in the same organization. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
|
||||
[Advanced hunting](overview-hunting.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -25,6 +25,8 @@ ms.date: 09/25/2019
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
||||
|
||||
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/en-us/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
|
||||
|
||||
## Try your first query
|
||||
|
||||
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
|
||||
@ -47,6 +49,7 @@ This is how it will look like in Advanced hunting.
|
||||
|
||||
|
||||
|
||||
### Describe the query and specify the table to search
|
||||
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
|
||||
|
||||
```
|
||||
@ -56,18 +59,19 @@ ProcessCreationEvents
|
||||
|
||||
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed.
|
||||
|
||||
### Set the time range
|
||||
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
|
||||
|
||||
```
|
||||
| where EventTime > ago(7d)
|
||||
```
|
||||
|
||||
### Search for specific executable files
|
||||
The time range is immediately followed by a search for files representing the PowerShell application.
|
||||
|
||||
```
|
||||
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
|
||||
```
|
||||
|
||||
### Search for specific command lines
|
||||
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
|
||||
|
||||
```
|
||||
@ -77,7 +81,7 @@ Afterwards, the query looks for command lines that are typically used with Power
|
||||
or ProcessCommandLine has "Invoke-Shellcode"
|
||||
or ProcessCommandLine contains "http:"
|
||||
```
|
||||
|
||||
### Select result columns and length
|
||||
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
|
||||
|
||||
```
|
||||
@ -104,7 +108,7 @@ Now that you've run your first query and have a general idea of its components,
|
||||
| **makeset** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
|
||||
| **find** | Find rows that match a predicate across a set of tables. |
|
||||
|
||||
To see a live example of these operators, run them from the **Get started** section in advanced hunting.
|
||||
To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page.
|
||||
|
||||
## Understand data types
|
||||
|
||||
|
||||
@ -58,11 +58,11 @@ Right-click a value in the result set to quickly enhance your query. You can use
|
||||
## Filter the query results
|
||||
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
|
||||
|
||||
Refine your query by selecting the "+" or "-" buttons on the values that you want to include or exclude and then selecting **Run query**.
|
||||
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
|
||||
|
||||
|
||||
|
||||
The filter selections are added as additional query elements and the results are updated accordingly.
|
||||
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
|
||||
|
||||
## Related topics
|
||||
- [Learn the query language](advanced-hunting.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user