Forum Discussion

MichaelJMelone's avatar
Aug 05, 2020

Share Your Hunting Challenges!

Hello world! Tali Ash and I would love your input on anything you would like demo'ed in future webcasts! Want to see us demonstrate a specific hunting capability? Got a query challenge on your mind? Reply with your idea or like a reply from the community - we'll pick some of the popular ideas and put together future webcasts on the topics.

 

Also, if you are looking for a great introduction to advanced hunting in MTP and KQL, be sure to check out our four part series Tracking the Adversary at http://aka.ms/securitywebinars, or download the query files to practice on your own MTP instance at https://aka.ms/TrackingTheAdversary

 

Happy hunting!

 

 

  • Thank you for all of the great suggestions! Tali Ash and I are excited to announce that our next webcast will be on November 17th. Be sure to join us for our new series l33tSpeak where we will share some of the latest Microsoft 365 Defender Advanced Hunting capabilities and provide demos based on your requests. We are looking forward to seeing everyone virtually again! To attend please register for our winter series of webcasts here: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR_0A4IaJRDNBnp8pjCkWnwhUMjY1MERNU0FFUU9MN08yUFhaMUxNRDMxVi4u 

  • mergene's avatar
    mergene
    Brass Contributor

    MichaelJMelone 

     

    Tracking the Adversary series was just awesome, thanks for sharing this level of knowledge for free!

     

    I want to detect when a user starts to use a new application/process. The scenario is like below:

    A user uses normal applications like excel, word, etc. daily. Then, the same user suddenly starts using a new application/tool on day X. He/she uses the application during that day several times, and stops using it.  There are also other users using the same application/tool but those users use it daily as it's their job. I have no information about any of the users and the application/tool itself. When I try to hunt for this scenario, I get resource usage error or the query just gets stopped because of high cpu usage. Maybe you want to cover this "rare process seen on an endpoint" scneario. 

  • MichaelJMelone 

    It might be a bit out of topic but it is still about hunting.

    Normally for suspicious and unknown files, we are send them to Microsoft Anti-Malware team and VirusTotals.

    Sometimes, I will use Process Explorer and Process Monitor to do some investigation on infected PC.

    As you may know, we normally don't have malware research lab in our company and sometimes we play around with VM and Windows Sandbox but at the end of the day, we have to wait for response from Microsoft Anti-Malware team.

    It would be nice to discuss about ways we could investigate malware internally and protecting our system while we are waiting for patch.

  • Great topics so far! Keep them coming.  If something you'd like to see exists already please like it, if not feel free to add it.

    • Reza_Ameri-Archived's avatar
      Reza_Ameri-Archived
      Bronze Contributor

      MichaelJMelone 

      I believe one of the greatest challenge to industry is Ransomwares. We might use Controlled folder access where is very effective to protect our system and use defense in depth strategy but the worse case is when user is infected and they lose their data and they don't have any backup.

  • D_Ant_Espo's avatar
    D_Ant_Espo
    Copper Contributor
    Hello, I need to know how to find the Patch IDs associated w/ a CVE? I often find myself trying to find out if certain patches have been deployed but am only given a CVE-xxxx-xxxx as my reference point?
    • MichaelJMelone's avatar
      MichaelJMelone
      Icon for Microsoft rankMicrosoft
      Great question! This can definitely be a challenge, especially because one patch may be superseded by another. The best official source would be the National Vulnerability Database (NVD) which is run by NIST (https://nvd.nist.gov/vuln/search).
      As far as advanced hunting goes, this is not currently available in the product today - but definitely makes a great feature request. We will definitely keep this in mind!
  • mergene's avatar
    mergene
    Brass Contributor
    It would be great if you could cover how to use Machine Learning functions in MDATP/MTP for hunting.
  • mergene's avatar
    mergene
    Brass Contributor

    MichaelJMelone I've been playing with make_series fucntion and detecting anomalies. I have a situation which makes the detection quite difficult. For example, I try to create the time series data for a machine. The machine is not powered on always and this makes my time series data having 0 values for some periods ( let's say I don't have any data for Monday and Wednesday from the machine). This makes the anomaly detection with series_outliers quite difficult. How can I overcome this? Is it possible to exclude periods not having any data from the analysis? 

     

  • Citizen8675309's avatar
    Citizen8675309
    Copper Contributor

    MichaelJMelone 

    Would you be willing to look at this query and let me know why it's not working? It ran once but now it has an unexpected error. It's getting an error in the line:

    "| summarize NumberofDisstinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)"

     

    let Threshold = 12;
    let BinTime = 1m;

    let listDC=IdentityDirectoryEvents
    | where Application =="Active Directory"
    | where Application == "Directory Service replication"
    | summarize by DestinationDeviceName ;

    IdentityQueryEvents
    | where Timestamp > ago(30d)
    | where DeviceName !in ( "DC List")
    | where ActionType == "LDAP query"
    | parse Query with * "Search Scope: " SearchScope ", Base Object:"
    BaseObject ", Search Filter: " SearchFilter

    | summarize NumberofDisstinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
    |where NumberofDisstinctLdapQueries > Threshold

     

    source: MS Defender Webinar Solorigate

      • m00nfish1400's avatar
        m00nfish1400
        Copper Contributor

        MichaelJMelone 

         

        Hi Michael, I just started to learn KQL queries and watched your old webinars on Youtube. Those videos are great learning resources.  When I saw this original post, I was wondering whether or not my observation is correct.  I think why this query didn't work, is because this line of queries 

        " | where DeviceName !in ( "DC List") "   should be  "where DeviceName !in ( "listDC")" . 

         "listDC" was defined in line 3.   Thanks!

Resources