In the ever-evolving landscape of cybersecurity, staying ahead of threats is a constant challenge. Advanced hunting in Microsoft Defender XDR provides security teams with powerful tools to proactively search for threats, detect anomalies, and respond swiftly to incidents—even automatically. One of the most valuable and insightful resources within advanced hunting is the community queries feature. This collaborative repository can enhance your threat-hunting capabilities, streamline investigation processes, and empower your security operations center (SOC) team members with easily accessible shared knowledge.
Using a new set of pre-built community queries to investigate and respond to email and collaboration related security threats, you can now hunt even for more effectively.
What is the community queries feature?
Community queries in advanced hunting is a curated collection of Kusto Query Language (KQL) scripts contributed by Microsoft, industry experts, and the global security community. These queries are designed to address common security concerns, detect emerging threats, and automate the analysis of large datasets.
The repository serves as a starting point for both novice and seasoned threat hunters, offering pre-built queries that can be customized to fit specific organizational needs. By leveraging these community-contributed queries, SOC team members can quickly gain insights into potential threats without having to start from scratch.
Benefits of using community queries
- Time efficiency – Community queries provide a wealth of ready-made queries that can be immediately utilized. This saves valuable time, allowing security teams to focus on analyzing results rather than writing queries from scratch.
- Continuous learning – The repository is continuously updated with new queries that reflect the latest threat intelligence and security trends. This means that your threat-hunting efforts can evolve alongside the threat landscape.
- Collaboration and knowledge sharing – By using and contributing to community queries, organizations can tap into the collective expertise of the global security community. This collaborative approach helps in identifying and mitigating threats that may not yet be on your radar.
- Customization and flexibility – While the queries in the community are powerful out of the box, they are also highly customizable. You can tweak and modify them to suit the specific needs of your environment, ensuring that your threat detection efforts are tailored and precise.
How to access and use community queries
Users can access the community queries within Microsoft Defender XDR advanced hunting via:
- Navigate to the Advanced hunting page – In Microsoft Defender XDR, go to the advanced hunting section. Here, you can run, save, and manage your KQL queries.
- Explore Community queries – Look for the "Community queries" under the “Queries” tab. This is where you'll find the collection of pre-built queries contributed by Microsoft and the security community. Email and collaboration security related queries which are relevant to Defender for Office 365 can be found under the “Email Queries” folder and its subfolders.
- Select and run a query – Browse through the available queries and select one that matches your current needs. You can run the query as-is or customize it by modifying parameters, adding filters, or combining it with other queries.
- Analyze and act on the results – Once the query is executed, analyze the results to identify potential threats, anomalies, or areas of interest. From here, you can take appropriate actions, such as creating incidents and alerts, creating and refining custom detection rules or even deleting email messages if necessary.
Pro Tip: Custom detection rules can be used to act on email messages based on your queries automatically. Select email delete action when saving the detection rule to not just generate Incidents in Microsoft Defender XDR but act automatically when the detection is triggered.
Popular use cases for Defender for Office 365 related community queries
- Detecting phishing attacks – Use community queries to identify patterns of phishing emails, malicious links, or unusual email activity that could indicate a phishing campaign.
- Identifying lateral movement – Leverage queries that detect unusual account activities or unauthorized access, helping to spot lateral movement within your network.
- Investigating malware outbreaks – Utilize community queries to search for indicators of compromise (IOCs) related to known malware families, enabling rapid response to potential outbreaks.
- Monitoring privileged accounts – Community queries can help you track the activities of privileged accounts, ensuring that any suspicious behavior is flagged and investigated promptly.
- QR code – Hunt, investigate and respond to QR code related email security threats
- URL clicks – Investigate potentially malicious URL clicks in emails, Microsoft Teams and Office Apps
- Ensuring secure posture – Review the impact of admin and user created filter verdict overrides which may impact organization security posture negatively
Current query repository for Defender for Office 365
The full list of queries is available directly in Microsoft Defender XDR advanced hunting. The queries relevant to Defender for Office 365 are organized under the Email Queries folder using subfolders based on email and collaboration security topics.
Attachment, Authentication, General, Hunting, Malware, Override, Phish, QR code, Quarantine, Remediation, Spoof and Impersonation, Submissions, Top Attacks, URL, URL Click, and ZAP.
The queries are also available directly in the Microsoft Sentinel GitHub repository
Contribute to community queries
Anyone can contribute to community queries in advanced hunting. The strength of these queries lies in the diversity of its contributors. If you develop a query that proves valuable in your environment for email security, we strongly recommend considering sharing it with the wider community.
By doing so, you contribute to the collective defense against cyber threats and help other organizations enhance their security posture.
To start contributing simply follow the steps listed here and add your queries to the unified Microsoft Sentinel and Microsoft Defender XDR repository on GitHub.
Community queries is more than just a repository of scripts—it's a dynamic, collaborative resource that empowers security teams to stay ahead of emerging threats. By leveraging and contributing to this community, organizations can enhance their threat-hunting capabilities, reduce time-to-detection, and foster a culture of continuous learning and collaboration.
In the ever-changing world of cybersecurity, having access to a community-driven repository of advanced queries is an invaluable asset. Whether you're a seasoned threat hunter or just starting out, community queries are a resource you can't afford to overlook. So, dive in, explore, and start unlocking the full potential of advanced hunting today.
More information:
- Check out our documentation
- Get expert training on advanced hunting
- Take action on advanced hunting query results
- Advanced hunting data schema including Defender for Office 365 tables
- Microsoft Defender for Office 365 Security Operations Guide