Dec 07 2023 12:33 AM
Hi how can i do retro hunting of domains , IPs and Hashes on Sentinel or 365 ?
example a malicious domain google.com , 8.8.8.8
i want to search in all of my logs / data connectors
Dec 07 2023 01:05 AM
@sulaimanncs915 hello,
if you have data connectors outside the Microsoft stack, you will need to look into the relevant tables they create. For the Microsoft stack and Microsoft Defender for Endpoint specifically you can search with the following queries:
For IPs (with the option of relevant port as well):
DeviceNetworkEvents
| where RemoteIP == "insert destination IPv4 address here"
// optional filter if you want to define destination port as well
// | where RemotePort == "insert destination port number here"
For Domains:
DeviceNetworkEvents
| where RemoteUrl has "insert URL here"
Would you like to include other tables as well? Something like source IPs for sign ins? Maybe IPs for Email sending infra?