In the previous chapter of this series, we started our investigation from an incident involving a particular mailbox that received phishing email. We saw how we can use go hunt and the in-portal schema reference to quickly pivot and deepen our investigation, utilizing query-based advanced hunting capabilities.
However, phishing isn’t the only threat impacting email—let's look into how emails with malware are affecting our environment. Our initial mailbox asset, bamorel@mtpdemos.net, did not receive malware, but maybe other mailboxes in the organization did? Let’s check by modifying our first go hunt query to extend our search beyond the original mailbox.
let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z);
EmailEvents
| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h))
//malware emails
and MalwareFilterVerdict == "Malware"
We find a bunch of malware emails, all of them from the same sender mtpdemos@juno.com. Let’s hunt for all the attachments coming from this sender, and see if someone downloaded them to their devices.
// Find the first appearance of files sent by a malicious sender in your organization
let MaliciousSender = "mtpdemos@juno.com";
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SenderFromAddress =~ MaliciousSender
| join (
DeviceFileEvents
| where Timestamp > ago(30d)
) on SHA256
| summarize FirstAppearance = min(Timestamp) by DeviceName, SHA256, FileName
Get enriched file intel
Unfortunately, there were users that downloaded the malicious files. To quickly learn more about the files, we can use the FileProfile() function to pull in meta data from the Microsoft file reputation database:
// Get more details about the malicious files using the FileProfile() enrichment function
let MaliciousSender = "mtpdemos@juno.com";
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SenderFromAddress =~ MaliciousSender
| join (DeviceFileEvents
| where Timestamp > ago(30d)) on SHA256
| distinct SHA1| invoke FileProfile()
| project SHA1, SHA256 , FileSize , GlobalFirstSeen , GlobalLastSeen , GlobalPrevalence , IsExecutable
By invoking the FileProfile() function, we can derive additional insights from enriched information in the form of additional file hashes, size, prevalence, first and last seen, signer info, and various other attributes. For example, we can identify files that are rare or files that are very new, potentially requiring closer inspection.
Learn more about the FileProfile() function
Take action as part of the hunt
Once we’ve done sufficient investigation to verify that the files are malicious and the devices that contain them have been adversely impacted, our next step would be to ensure we respond quickly enough to minimize the impact of the malicious files. We can actually do this from the query results by selecting the records and then selecting Take actions.
// Find the first appearance of files sent by a malicious sender in your organization
let MaliciousSender = "mtpdemos@juno.com";
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where SenderFromAddress =~ MaliciousSender
| join (
DeviceFileEvents
| where Timestamp > ago(30d)
) on SHA256
| summarize FirstAppearance = min(Timestamp) by DeviceName, DeviceId, SHA256, FileName
This feature lets you select particular entities to address in the selected records as well as the type of actions to take. When you proceed, the necessary actions are taken automatically and swiftly on available devices.
Key takeaways
We started our investigation from a single mailbox that was connected to an incident. Using advanced hunting, we gathered more data about the affected asset, explored other activities that might be related to asset, expand our investigation to cover other threat types, pulled in more threat intel, and took actions quickly.
During this investigation, we learned:
- How easy it is to pivot from an incident investigation into advanced hunting using go hunt
- How we can conveniently find what we need in the schema using the in-portal reference
- How quickly we can enrich an investigation using functions like FileProfile()
- How we can remediate threats directly from our hunting results by selecting Take actions
To learn more about advanced hunting in Microsoft Threat Protection and these new enhancements, go to the following links:
- Advanced hunting overview
- FileProfile
- Take actions
- Go hunt
- In-portal reference
- Preview features
- MTP Git community
Updated Aug 10, 2020
Version 2.0
Tali Ash
Microsoft
Microsoft