With the new Advanced Hunting capability on Windows Defender Advanced Threat Protection, you have even more powerful tools for successfully tracking and identifying advanced persistent threats. To he...
Updated Sep 16, 2020
Version 6.0
Blog Post
Hi Marc,
Great to hear!
we've created our own GitHub repository to enable our users to share and contribute -
https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/
Great idea!
Hi
I would be great to collect the appCompatCache and/or Amcache.hve entries, to hunt for Program execution. Is this something you guys have on the roadmap?
thx
Keith
Some feedback on the language:
------
I building test queries - and didn't want to overload the system so I was doing things like
| where EventTime < ago(4h)
However it seems to ignore that in favor of the "Last 30 days" drop down above.
-------
NetworkCommunicationsEvents | RemoteURL seems to not return the full URL - just up to the domain.. so it would be more RemoteDomain_URI
i.e. if user browses to "https://techcommunity.microsoft.com/t5/forums/replypage/board-id/WDATPNew" the RemoteURL seems to just have "techcommunity.microsoft.com"
-------
I also tried using Parse_Url and such from:
https://docs.loganalytics.io/docs/Language-Reference/Scalar-functions/parse_url()
but those scalar's don't seem to be implemented yet?
-------
-Neil
Thanks Neil for your feedback - we appreciate it. :)
RE time filter:
We currently support hunting only on the last 30 days.
Any time filter you add on EventTime field is an additional filter applied - so in your example it would show all events that occur between 30 days ago and 4 hours ago.
If I misunderstood your question, please send a frownie feedback from the portal (top right of the page), with your query shown in the page, so that we can see the query details and reply more accurately.
RE RemoteUrl field in NetworkCommunicationsEvents:
You are correct. What this column currently contains in this table is a DNS entry, not a full URL.
However, within a few weeks, some of the events uploaded to this table will contain a full URL.Also, other events in other tables already contain full URL - e.g. URLs that were blocked, URLs that were opened from outlook/office, etc.
Background on our schema principals:
We have chosen to keep our schema column names consistent between the different tables and events. In example, we could have called the SHA1 field in the ProcessCreationEvents "ProcessImageFileSHA1" and to call it in the FileCreationEvents "CreatedFileSHA1" - but this would eventually create a very complex schema that is hard to learn and to query on top of. Similarly, some fields may contain data with slightly different format for some events - e.g. some events may sometime report the full FQDN in the RemoteComputerName field, and others may specify the NETBIOS name. It is problematic to put the two in a single column, but we think it would be more of an issue if we would have a different column for every such variation.
Future mitigation:
We will have more elaborate documentation in the future, that will explain for each ActionType what it is, and will also answer some FAQ on it - such as the issue described above.
RE parse_url:
parse_url function is supported.
See query example here: https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries/blob/master/Delivery/Open%20email%20link.txt
Hope this helps,
Tomer
