With this post, I’m focusing on anyone who is keen on knowing more about the advanced features of MDE, how to get into that realm of threat hunting, and what the controls available are.
So you have proper licensing enabled, and you have Microsoft Defender for Endpoint on your users’ devices, and they are onboarded to Defender. What’s next? The Advanced Hunting method is a must-know tool as it helps you to dive into the issues when there are threats in your devices/ environment. My personal experience is that learning KQL is an interesting task, and there are a lot of resources on the internet to help you learn the basics. This blog post is all about what I learned and how the same can help you live and learn something new simultaneously.
For more info on KQL, check the Microsoft guides.
KQL Playground: This is a place where you can practice your KQL.
Table of Contents
- Setting Your Time Zone
- Data Retention Time Period
- Set Email Notifications
- Building your Query
- Schema Reference
- Sample Queries
- How to look for PDF files in emails
- Device Events
- Smart Screen Warnings
- Look for Attack Surface Reduction Rules (ASR)
- Saving your queries to run at a later time
- Rendering Query Results into Charts
- Use Queries to Create Detection Rules
- Check Alerts
- Final Thoughts
Setting Your Time Zone
This is an important prerequisite, as when you start building and running your queries, timestamping should be in real-time.
Go to Security Portal on https://security.microsoft.com > Settings > Security Center >Set the time zone.
![Security center]()
Data Retention Time Period
This is another important fact for all things Defender. The maximum data retention time period is 180 days.
Security Portal on https://security.microsoft.com > Settings > Endpoints > Data Retention (under General section)
Set a maximum of 180 days.
![Data retention]()
Set Email Notifications
This will help you to get the alerts via email. However, with a little bit of work, you can make this bit more interesting by using Graph API/ Logic apps/ Teams notifications.
Go to Settings from the left pane > Microsoft 365 Defender > Email Notifications > Add incident email notification.
Set the Notification name.
Set below and set the Alert Severity.
![Notification setting]()
Set the recipients and create the notification.
Building your Query
With those 2 prereqs completed, we can now move into the threat-hunting canvas. As you may already know, KQL (Kusto Query Language) is what runs the show here, which can then be rendered to graphical charts if needed and especially create detection rules to stay on top of your response and action side of things. The good thing is because this is built into the portal, you don’t have to connect an Azure Log Analytics Workspace, but if you need to stream the Defender data to Microsoft Sentinal, a log analytics workspace is required.
![Contoso Electronics]()
![Advanced hunting]()
- Tabs to create multiple queries at the same time.
- Query options
- Schema: KQL Tables which you can use to query data from
- Functions: Schema functions
- Queries: Pre-made queries where you can adapt and change accordingly and run
- Detection Rules: Create rules by using the queries to easily get notified of the threats if that’s captured via a query
- Space to construct your query
- Results of the executed query
I will not be going through the steps regarding writing KQL queries as it requires its own blog post/s to explain KQL from the start. However, I will be showcasing some easy-to-write queries that you can also run in your environment.
The Custome Time Range option can go only up to 30 days backward. Use TimeGenerated () function.
Schema Reference
This is a really helpful Glossary type of fly-out menu that shows you all the functions in a table (schema) and what that function does.
![Schema Reference]()
And if I go to DeviceEvents schema details, I will get the details below.
![Device events]()
Click on the function to quickly copy/ paste into the query writing area
Sample Queries
How to look for PDF files in emails
This can be a frequent request as PDFs can carry malware if you have the right tool (ASR rules) to capture them. I have used the EmailAttachmentInfo table to query data from. TimeGenerated can be changed according to the requirement.
EmailAttachmentInfo
| join kind=inner EmailEvents on SenderFromAddress
| where TimeGenerated > ago(1h)
| where FileType == "pdf"
| project TimeGenerated, SenderFromAddress,Subject,SenderIPv4, RecipientEmailAddress,FileName,AttachmentCount,DeliveryLocation
Device Events
Out of the many function and query options, I’m looking for Remote Desktop attempts on my devices.
DeviceEvents
| where ActionType == "RemoteDesktopConnection"
| project Timestamp, DeviceName, ActionType, LocalIP, LocalPort
![Query]()
Smart Screen Warnings
Smart screen warnings are useful when you have Web Protection enabled to understand URLs visited or dig deeper into a threat-related issue.
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| take 10
| project Timestamp,DeviceName,DeviceId, RemoteIP, RemoteUrl,ProcessId
![Run Query]()
Below query look for Smart Screen URL Warnings, but specifically for URLs that contains the word sportsbet as that a gambling site.
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| where RemoteUrl contains "sportsbet"
| take 10
| project Timestamp,DeviceName,DeviceId, RemoteUrl
![Result]()
Look for Attack Surface Reduction Rules (ASR)
This is an interesting one. I will be using the same type of query for the Detection rule later.
DeviceEvents
| Where Timestamp > ago(30d)
| Where ActionType startswith "asr"
| Summarize EventCount=count() by ActionType
Saving your queries to run at a later time
You can easily save the queries you write to use at a later time. Once the query is written or copied from another place, press the Save As button and follow the instructions.
![Run Query]()
![Save query]()
Check the query form below.
![Device events]()
Also, use the community queries that have been shared by others. Edit it to cater to your requirements. An example is shown below.
![Email Query]()
Rendering Query Results into Charts
Sometimes, you may have the requirement to see a graphical representation of the KQL output. When you construct the rule in the proper manner to summarize the output, you can render it to a chart by using the render function or use the Chart Type in the UI.
I’ve done a very simple query to identify the alerts by Severity and rendered it to a Pie Chart.
You can use the | render piechart line or the Chart type option on the UI to render it from the options.
![Chart type]()
![Alert Info]()
![Device events]()
Use Queries to Create Detection Rules
You can schedule your KQL queries and make them detect threats and alert you. My understanding is that it is best to get information on non-critical alerts because the scheduling starts every hour. However, you can classify the severity of the detection.
The below example shows how to create a Detection Rule to detect Edge Smart Screen URL Warning.
My query
DeviceEvents | where ActionType == "SmartScreenUrlWarning"
Click on the Create Detection rule button.
![Advanced hunting]()
Set below and press Next.
![Impacted Entities]()
Set the impacted entities as below.
![Actions]()
Set the Actions below.
![Scope]()
Select the device scope. All or from the Device Groups.
![Detection rules]()
Submit the rule
Now, if you go to the Custom Detection rules under Hunting, you will see your created rules.
![Incidents]()
Check Alerts
Go to Incidents & Alerts from the left pane and select Alerts. If there are any alerts related to the rules we created earlier, they will show up here.
Below is a different rule I created previously to detect any RDP Login attempts.
This can be received as an email if you have set up your Notifications as explained before.
Final Thoughts
All in all, this is a great built-in tool to dig deeper into threat hunting. Personally, the more I learned KQL, the more I wanted to use it and experiment with the results of it. It is beneficial to pinpoint the threats quickly and close off the incident soon.
There are other ways where you can stream the Defender data (Endpoint/ Identity/ Cloud etc.) to SIEMs, and especially in this case, to Microsoft Sentinel as a centralized solution. More on that coming soon. I hope you have learned something new or sharpened your knowledge with this. I hope to see you in my next post soon.