https://github.com/lawndoc/advancedhuntingqueries

Microsoft 365 Advanced Hunting Queries with hotlinks that plug the query right into your tenant.
https://github.com/lawndoc/advancedhuntingqueries

cyber-security cybersecurity defender defender-atp defender-for-endpoint detection detection-engineering hunting kql kusto microsoft microsoft365 security threat-hunting xdr

Last synced: about 2 months ago
JSON representation

Microsoft 365 Advanced Hunting Queries with hotlinks that plug the query right into your tenant.

• Host: GitHub
• URL: https://github.com/lawndoc/advancedhuntingqueries
• Owner: lawndoc
• License: unlicense
• Created: 2021-08-13T18:35:30.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-08-05T20:47:06.000Z (10 months ago)
• Last Synced: 2025-02-07T09:41:31.813Z (4 months ago)
• Topics: cyber-security, cybersecurity, defender, defender-atp, defender-for-endpoint, detection, detection-engineering, hunting, kql, kusto, microsoft, microsoft365, security, threat-hunting, xdr
• Homepage:
• Size: 313 KB
• Stars: 119
• Watchers: 5
• Forks: 18
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

        
# AdvancedHuntingQueries

My collection of Microsoft 365 Advanced Hunting Queries written in Kusto Query Language (KQL). My queries are public domain ([Unlicense](LICENSE)), but I'd appreciate a credit/tag if you republish them somewhere.

This repo includes '🔎' icons with hotlinks that plug the queries right into your M365 Security tenant.

Click on a category to start exploring my hunting queries!

## Query Categories:

### [📈 Anomalies](Anomalies)

- Identify the most significant spikes in various activities

### [🛡️ ASR Rules](ASR)

- Queries that help you build your [Attack Surface Reduction](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction) policies

### [⚠️ Detection Rules](Detection-Rules)

- Kusto queries that can be turned into detection rules to create alerts

### [💣 Exploits](Exploits)

- Hunt for specific exploits being used in your environment

### [🕵️ Incident Response](Incident-Response)

- Hunt for known IOCs and activity from compromised hosts

### [🎣 Phishing](Phishing)

- Identify potential phishing emails in your environment

### [📝 Rough Drafts](Rough-Drafts)

- Detection rules I've written that are useful for hunting but not ready to generate alerts

### [🏰 Security Posture](Posture)

- Highlight bad operational security practices

### [🧑 User Behavior](User-Behavior)

- Queries related to user activity -- not all of them are relevant to security

### [🛠️ Utilities](Utilities)

- Useful queries that help with identity correlation, metrics, policy building, etc.

---

## Crafting your own queries

### Getting started

To get better at KQL, the best starting place is to just __explore the data__. By exploring the data, your curiosity can lead you down rabbit holes of "how can I find this?" It also helps you understand the data. __You can't make your own hunting queries if you don't know what information you have available to you__.

Choose a table like `DeviceEvents` and take a sample of just 10 random events with `take 10`. This will give you an idea of what data is in that table.

```

DeviceEvents

| take 10

```

I find the `distinct` operator useful for identifying the values I can expect to find in a specific column. That will give me an idea of the ways that I can filter out data or only show specific things.

```

DeviceEvents

| distinct ActionType

```

When troubleshooting a query that isn't giving you want you want, the first thing you need to do is identify *which line* is wrong. Injecting `take 10` or a `where` filter and then a __blank line__ will allow you to check for values you would expect to see or not see.

```

DeviceProcessEvents

| where ProcessCommandLine contains "iex"

| take 10  // the blank line below will end this 3-line query

| summarize Count = count() by InitiatingProcessFileName  // this line won't execute because of the blank line above

```

To clean up the output, you can hide columns you don't care about with `project`, `project-away`, and `project-reorder`. It's also helpful to `sort` by a column like `Timestamp` or `Count`. Having an easily digestible output is as important as the query itself.

Try the below queries with and without `project` and `sort`

```

DeviceProcessEvents

| where FileName contains "whoami"

| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessCommandLine

```

```

DeviceProcessEvents

| where FileName == "cmd.exe"

| summarize Count = count() by AccountName

| sort by Count desc

```