Microsoft Threat Protection simplifies security operations center (SOC) work by consolidating powerful security solutions protecting your devices, email and docs, identities, and cloud apps. With advanced hunting, you get an extremely flexible query-based tool designed for proactive exploration, investigation, and hunting across a comprehensive set of data, covering system information, regular event logs, and security alerts.
To make advanced hunting even more accessible and easy to use, we’ve built some enhancements that many SOC analysts, whether hunting enthusiasts or budding defenders, will find useful:
- Pivot and query from multiple contexts
- Inspect records quickly
- Get reference info while hunting
Pivot and query from multiple contexts
When investigating an incident, we always look to learn more about affected assets and other entities, hoping to enrich the investigation with more data and insight. The new Go hunt action in Microsoft Threat Protection lets us quickly pivot from an ongoing incident investigation to inspecting a specific event, user, device, or other entity type on advanced hunting with an exhaustive, predefined query.
Let’s take a look at this incident involving a particular mailbox:
For most intrusions, a mailbox is typically the initial entry point of an attack. Therefore, we should start by investigating the mailbox to look for suspicious emails that were identified by Office 365 ATP as phishing or malware. By selecting Go hunt from the mailbox details pane, we are immediately taken to advanced hunting with a prepopulated query for email events related to the mailbox.
From this starting point, we can make small tweaks to the query to go deeper into the pivot. We add a new line to narrow down to only emails found to be phishing or malware.
let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z);
let emailAddress = "bamorel@mtpdemos.net";
EmailEvents
| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h))
and RecipientEmailAddress == emailAddress
//malicious emails
and (MalwareFilterVerdict == "Malware" or PhishFilterVerdict == "Phish")
Seasoned hunters will find many other ways to tweak these queries and surface even more insights about the mailbox in question and ultimately the investigation. As you work with other investigations on Microsoft Threat Protection, you will find many other go hunt entry points for digging deeper while utilizing the power of flexible queries.
Inspect records thoroughly and quickly
Let’s say our modified go hunt query for malicious emails returned two emails, both of which had links and were detected as phishing. Of course, we’ll want to inspect each of those emails.
In the past, the best we could do was scroll slowly to the right while reading the values under each column. To speed things up and give defenders back a little bit more leisure time, we’ve added the Inspect record pane, which slides out to display all the columns as well as other relevant details about a selected record. You also get related assets, such as users and mailboxes that received or sent the email. If the record has process-related information, you also get a process tree.
You’ll be scrolling down for more info, which is much faster than scrolling to the right.
Get reference info while hunting
As we inspect one of the phishing emails, we'd want to inspect the phishing link or URL embedded in the email. Our original go hunt query traversed the EmailEvents table, which broadly contains email processing events, but what we need is email content information.
To locate the right schema table, most of us will likely look at the schema tree and find EmailUrlInfo. We can quickly confirm that this is the right table by selecting View reference.
This opens the in-portal reference, which can also be accessed by selecting Schema reference in the upper right of the page.
The in-portal reference includes detailed information about each table and its columns. For those who want to explore schema items further, it also comes with sample queries as well as detailed ActionType (event type) information for tables that hold event information.
Now that we’ve found the EmailUrlInfo table and have verified that it holds information about URLs in email messages, we can try a little bit of Kusto Query Language (KQL) magic. In the example below, we use the join operator to get the embedded URLs in each of the phishing emails:
let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z);
let emailAddress = "bamorel@mtpdemos.net";
EmailEvents
| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h))
and RecipientEmailAddress == emailAddress
//malicious emails
and (MalwareFilterVerdict == "Malware" or PhishFilterVerdict == "Phish")
| join EmailUrlInfo on NetworkMessageId
| project EmailTime = Timestamp, Subject, Url
The hunt continues
Want to see how the rest of this investigation unfolds? Read the next chapter: Pull in more intelligence and act fast while you hunt.
For more information about advanced hunting and the features discussed in this article, read:
Updated Dec 23, 2021
Version 4.0
Tali Ash
Microsoft
Microsoft
