Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

retro hunting of malicious domains

Copper Contributor

Hi how can i do retro hunting of domains , IPs and Hashes on Sentinel or 365 ?

 

example a malicious domain google.com , 8.8.8.8

 

i want to search in all of my logs / data connectors

1 Reply

@sulaimanncs915 hello,

 

if you have data connectors outside the Microsoft stack, you will need to look into the relevant tables they create. For the Microsoft stack and Microsoft Defender for Endpoint specifically you can search with the following queries:

 

For IPs (with the option of relevant port as well):

DeviceNetworkEvents 
| where RemoteIP == "insert destination IPv4 address here"
// optional filter if you want to define destination port as well
// | where RemotePort == "insert destination port number here"

 

 For Domains:

DeviceNetworkEvents 
| where RemoteUrl has "insert URL here"

 

Would you like to include other tables as well? Something like source IPs for sign ins? Maybe IPs for Email sending infra?