Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Microsoft Threat Protection – unified hunting

Posted on 15. December 201929. January 2020

Note

This post is part of a series about Microsoft Threat Protection. You can find part 2 about unified incident management here: https://chrisonsecurity.net/2020/01/24/microsoft-threat-protection-unified-incidents/

When you work on security incidents, information is key. What is just as important: correlation. The value of data heavily increases if it can be associated with other signals. At Ignite 2018, Microsoft announced “Microsoft Threat Protection” (MTP) as a collective term for their ATP lineup (O365 ATP, Azure ATP, Defender ATP).

Since then, those services grew together more and more. Now, MTP is not only a term anymore and just entered the public preview phase. Advanced Hunting, Automated Investigations, and correlated incidents can now be run across Office and endpoint data.

In this post, I’d like to show the capabilities of unified Advanced Hunting.

Enabling MTP

First, you need to head over to the opt-in page that can be found here: https://security.microsoft.com/enable_mtp/mtp_consent

On the settings page, you need to select “Turn on Microsoft Threat Protection” and confirm the selection via the “Save” button.

Note

Please be aware of the service terms Microsoft mention in their description under the opt-in toggle before you enable MTP

After activation, let’s jump over to Advanced hunting at https://security.microsoft.com/hunting

The layout is pretty straight-forward. On the left you get a schema reference (1) to look up table names und columns. Queries are written in the input field at the top right (2), the respective output is shown at the bottom right (3).

As you can see from the screenshot, like many other services Advanced hunting is also subject to frequent changes. At the moment, Microsoft is working on completing the schema to match the different data sources of Microsoft Threat Protection.

You can find the announcement here: https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Advanced-hunting-data-schema-changes/ba-p/1043914

To put is shortly: the prefix of each table name indicates the data source.

Data sourcePrefixExample
Microsoft Defender ATPDeviceDeviceProcessEvents
Office 365 ATPEmailEmailAttachmentInfo
Microsoft Cloud App Security + Azure ATPAppAppFileEvents

If you read this post at a later date, this change is probably already implemented. Every table consists of multiple columns that contain the actual information. E.g. EmailAttachmentInfo holds the following columns:

  • Timestamp
  • AttachmentId
  • NetworkMessageId
  • SenderFromAddress
  • RecipientEmailAddress
  • RecipientObjectId
  • FileName
  • FileType
  • SHA256
  • MalwareFilterVerdict
  • MalwareDetectionMethod

Every table has different columns, however, sometimes they overlap for the most common info types.

Here is an example on how a query might look like. In this case, it searches for pnp events that are created by mass storage devices:

Building you own queries is pretty straight-forward. However, there are some things to learn that are way too comprehensive for a blog post. If you want to know more, there are resources published by Microsoft:

  • Short introduction: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language
  • Full Kusto Query Language (KQL) documentation: https://docs.microsoft.com/en-us/azure/kusto/query/

The MDATP schema

The MDATP Advanced hunting schema has been with us for quite some time now. Besides the renaming to reflect the additions made by MTP, not much has changed.

TableDescription
DeviceInfoGeneral information about machines, like computer name, OS Build, logged on users, …
DeviceNetworkInfoNetwork configuration of machines (adapters, IP and MAC addresses, …)
DeviceProcessEventsProcess creation and related events
DeviceNetworkEventsNetwork connection events
DeviceFileEventsEvents related to file creation, modification, …
DeviceRegistryEventsCreation and modification of registry entries
DeviceLogonEventsUser logon and authentication events
DeviceImageLoadEventsDLL loading events
DeviceEventsVarious device events, especially regarding security controls (Application Control, Windows Firewall, etc.)
DeviceTvmSoftwareInventoryVulnerabilitiesSoftware inventory and vulnerabilities provided by Threat & Vulnerability Management (TVM)
DeviceTvmSoftwareVulnerabilitiesKB List of vulnerabilites from TVM
DeviceTvmSecureConfigurationAssessmentAssessment events for specific security configuration from TVM
DeviceTvmSecureConfigurationAssessmentKBInformation about secure configurations (includes risk information, industry benchmarks, and MITRE ATT&CK techniques)

The OATP schema

The Office 365 ATP schema has been added with the (preview) release of MTP. It uses Office 365 mail data.

TableDescription
EmailEventsGeneral information about email
EmailAttachmentInfoInformation about email attachments
EmailUrlInfoInformation about URLs in emails

Note

If you want to learn more about mail hunting have a look at Alex Verboon’s blog post: Microsoft Threat Protection – Using advanced hunting to see what’s going on with your mail.

Useful queries

Microsoft publishes some queries on their official GitHub repository: https://github.com/microsoft/WindowsDefenderATP-Hunting-Queries

I am not a big fan of listing predefined queries as they must be adapted to your own environment in most cases anyway. However, here are some use cases that can be enhanced by Advanced Hunting:

  • Monitor your Windows Firewall configuration by using data from the DeviceNetworkEvents table
  • Monitor your Application Guard / AppLocker configuration by using the DeviceEvents table
  • Use EmailEvents, EmailAttachmentInfo, and EmailUrlInfo to monitor Office 365 ATP actions, such as delivery actions, detected malware and phish, and URL information from ATP safe links. I personally find Advanced Hunting way more convenient than using the Threat Explorer in the “old” Security & Compliance center.
  • You can also use hunting to detect if users have overwritten security warnings triggered by SmartScreen. e.g.
  • If you are unable to block external mass storage devices you can use hunting to detect bulk data exfiltration. This can be used to be part of you general DLP configuration.
  • Check update status for OS and anti-virus.
  • Monitor local administrators, and administrative logons.
  • Of course, you can also just search for indicators of compromise in the whole company if a particular incident occurred.

In a future post, I will cover some of those scenarios in more detail.

Conclusion

Knowledge is power: nothing describes better what Advanced Hunting in Microsoft Threat Protection offers to security personnel. Many scenarios were already covered in Defender ATP, however, with the addition of Office 365 ATP data (followed by MCAS and Azure ATP in the future) you can now use it for centralized queries across your major cloud-powered defenses.

Thanks for reading!

Chris

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT