This article is contributed. See the original author and article here.

Microsoft Threat Protection simplifies security operations center (SOC) work by consolidating powerful security solutions protecting your devices, email and docs, identities, and cloud apps. With advanced hunting, you get an extremely flexible query-based tool designed for proactive exploration, investigation, and hunting across a comprehensive set of data, covering system information, regular event logs, and security alerts. 

 

To make advanced hunting even more accessible and easy to use, we’ve built some enhancements that many SOC analysts, whether hunting enthusiasts or budding defenders, will find useful: 

  • Pivot and query from multiple contexts 
  • Inspect records quickly 
  • Get reference info while hunting 

 

Pivot and query from multiple contexts 

When investigating an incident, we always look to learn more about affected assets and other entities, hoping to enrich the investigation with more data and insightThe new Go hunt action in Microsoft Threat Protection lets us quickly pivot from an ongoing incident investigation to inspecting a specific event, user, device, or other entity type onadvanced huntingwith an exhaustive, predefined query.  

 

Let’s take a look at this incident involving particular mailbox:

gohunt.png

 

For most intrusions, a mailbox is typically the initial entry point of an attackThereforewe should start by investigating the mailbox to look for suspicious emails that were identified by Office 365 ATP as phishing or malware. By selecting Go hunt from the mailbox details panewe are immediately taken to advanced hunting with prepopulated query for email events related to the mailbox. 

Gohunt2.png

 

From this starting point, we can make small tweaks to the query to go deeper into the pivot. We add a new line to narrow down to only emails found to be phishing or malware.  

 

let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z); 
let emailAddress = "bamorel@mtpdemos.net";
EmailEvents
| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h))
and RecipientEmailAddress == emailAddress
//malicious emails
and (MalwareFilterVerdict == "Malware" or PhishFilterVerdict == "Phish")

 

Seasoned hunters will find many other ways to tweak these queries and surface even more insights about the mailbox in question and ultimately the investigation. As you work with other investigations on Microsoft Threat Protection, you will find many other go hunt entry points for digging deeper while utilizing the power of flexible queries. 

Read more about go hunt 

 

Inspect records thoroughly and quickly 

Let’s say our modified go hunt query for malicious emails returned two emails, both of which had links and were detected as phishingOf course, we’ll want to inspect each of those emails. 

 

In the past, the best we could do was scroll slowly to the right while reading the values under each column. To speed things up and give defenders back a little bit more leisure time, we’ve added the Inspect record pane, which slides out to display all the columns as well as other relevant details about a selected record. You also get related assets, such as users and mailboxes that received or sent the email. If the record has process-related information, you also get a process tree. 

sidepane.png

 

You’ll be scrolling down for more info, which is much faster than scrolling to the right. 

 

sidepane2.png

 

Get reference info while hunting 

As we inspect one of the phishing emails, wewant to inspect the phishing link or URL embedded in the email. Our original go hunt query traversed the EmailEvents table, which broadly contains email processing events, but what we need is email content information. 

 

To locate the right schema table, most of us will likely look at the schema tree and find EmailUrlInfoWe can quickly confirm that this is the right table by selecting View reference.

schemaref.png 

This opens the in-portal reference, which can also be accessed by selecting Schema reference in the upper right of the page. 

schemaReference2.jpg

 

The in-portal reference includes detailed information about each table and its columns. For those who want to explore schema items further, it also comes with sample queries as well as detailed ActionType (event type) information for tables that hold event information. 

 

urlinfo.png

 

Now that we’ve found the EmailUrlInfo table and have verified that it holds information about URLs in email messages, we can try a little bit of Kusto Query Language (KQL) magic. In the example below, we use the join operator to get the embedded URLs in each of the phishing emails: 

 

let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z); 
let emailAddress = "bamorel@mtpdemos.net";
EmailEvents
| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h))
and RecipientEmailAddress == emailAddress
//malicious emails
and (MalwareFilterVerdict == "Malware" or PhishFilterVerdict == "Phish")
| join EmailUrlInfo on NetworkMessageId
| project EmailTime = Timestamp, Subject, Url

emailwithUrl.png

 

 

The hunt continues 

Want to see how the rest of this investigation unfoldsStay tuned for the next chapter where we continue the hunt using other fresh enhancements to advanced hunting. 

For more information about advanced hunting and the features discussed in this article, read: 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: