MS Defender Advanced Hunting using KQL Queries

Let’s check the MS Defender Advanced Hunting using KQL Queries. There are two types of Threats hunting in the Microsoft 365 Defender world. We will discuss both of those hunting techniques in this article.

In this article, we will explore Microsoft Defender Advanced hunting, what is Advanced hunting, how to perform advanced hunting and what tools you can use for advanced hunting, what are the relation between KQL queries and advanced hunting, and what does the relation between advanced hunting and incidence plus alerts in Microsoft 365 Defender world etc.

We have an article highlighting the Intune Integration with Microsoft Defender for Endpoint to explore the seamless integration between Microsoft Defender for Endpoint and Intune. Another article showing the Latest MDE Architecture Changes to Enhance Onboarding Experience explore two interesting Microsoft Defender for Endpoint (MDE) aspects.

MS Defender Advanced Hunting is a tool for hunting down threats using queries. It lets you look through data from the past 30 days. There are two ways to use it: guided and advanced. Guided mode is helpful if you are new to Kusto Query Language (KQL) or like using a simple query builder. If you are familiar with KQL and want more control, you can use advanced mode to create your queries from the beginning.

Patch My PC

What is M365 Defender Advanced Hunting?

MS-Defender-Advanced-Hunting

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for known and potential threats. Advanced hunting supports queries that check a broader data set coming from.

1. Microsoft Defender for Endpoint
2. Microsoft Defender for Office 365
3. Microsoft Defender for Cloud Apps
4. Microsoft Defender for Identity

Adaptiva

MS Defender Advanced Hunting using KQL Queries

In this video, you will get all the details about Microsoft Defender Advanced hunting, the basic hunting tools, and the data set schema within Microsoft 365 Defender—all these things you have seen, along with many KQL queries. And you can also get information such as how to get sample queries, edit and customize sample queries, etc.

MS Defender Advanced Hunting using KQL Queries – Video 1

MS Defender Advanced Hunting

In this article, we’ll walk you through the process of using advanced hunting queries for enhanced threat detection. We’ll start by explaining how to perform query-based advanced hunting, and then we’ll shift our focus to understanding incidents and alerts, providing you with a high-level overview of their role.

MS Defender Advanced Hunting using KQL Queries - fig.1
MS Defender Advanced Hunting using KQL Queries – fig.1

Pick your Hunting Path

There are different hunting paths. You can use advanced mode if familiar with the custom query language KQL. Otherwise, you can start with the query builder. Proactively hunt for threats with powerful queries.

  • Start with the query builder in guided mode
  • Or use Kusto Query Language (KQL) in advanced mode.
Hunting
Advanced Hunting
Custom Detection Rules
MS Defender Advanced Hunting using KQL Queries – Table 1
MS Defender Advanced Hunting using KQL Queries - fig.2
MS Defender Advanced Hunting using KQL Queries – fig.2

Guided Advanced Hunting

Start with the query builder in guided mode. The query builder in guided mode allows analysts to craft meaningful hunting queries without knowing Kusto Query Language (KQL) or the data schema.

MS Defender Advanced Hunting using KQL Queries - fig.3
MS Defender Advanced Hunting using KQL Queries – fig.3

KQL Query – Advanced Hunting

Use Kusto Query Language (KQL) query in advanced mode. You can use Kusto operators and statements to construct queries that locate information in a specialized schema. The below window shows the KQL Query advanced hunting scenario. If you are familiar with this type of KQL query, you can go ahead with this type of hunting. It takes some time.

  • We have an article highlighting the KQL query-related stuff in Intune scenarios.
  • KQL is the common query language used across Azure for Defender and most products.
  • If you want to troubleshoot any of the Microsoft product SaaS solutions, the KQL query is usually used in Intune scenarios, AVD Virtual desktop scenarios, etc.
MS Defender Advanced Hunting using KQL Queries - fig.4
MS Defender Advanced Hunting using KQL Queries – fig.4

Schema Advanced Hunting

The advanced hunting schema comprises multiple tables that provide either event information or information about devices, alerts, identities, and other entity types. Click on 3 dots (vertical) and select view reference to get column details.

MS Defender Advanced Hunting using KQL Queries - fig.5
MS Defender Advanced Hunting using KQL Queries – fig.5

Queries Advanced Hunting

Queries are KQL queries used for MS Defender Advanced Hunting. There are 3 types of queries available in MS Defender Advanced Hunting Shared Queries, My queries and Community Queries. These queries are very useful for troubleshooting common issues to help you perform advanced hunting, etc.

MS Defender Advanced Hunting using KQL Queries - fig.6
MS Defender Advanced Hunting using KQL Queries – fig.6

Advanced Hunting Options in MDE

Look into advanced hunting options in MDE(Microsoft Defender for Endpoint). Open Microsoft 365 Defender portal – security.microsoft.com and sign in using your admin account. You can see the Hunting option on the left side of the portal. Select Advanced hunting from hunting. In advanced hunting, you can see the options such as Queries, Detection Rules, and Schema.

  • Schema
  • Queries
  • Detection Rules

Schema

A schema is a group of tables, and that table contains columns and values for each column. The schema in the advanced hunting world consists of tables containing event details, devices, alerts, identity, and other entity information. It’s essential to grasp the tables and their columns within the advanced hunting schema to create powerful queries across these tables.

  • Advanced Hunting > Schema
  • To access the schema reference, follow these steps
    • Next to the table name in the schema representation, click on the “View reference” action.
  • Schema shows different sections such as Alert & behaviours, Apps & identities, Devices etc.
MS Defender Advanced Hunting using KQL Queries - fig.7
MS Defender Advanced Hunting using KQL Queries – fig.7

View Reference Option

After clicking the 3 dots and get the View reference. It will describe the table, column names, sample queries, etc. Schema is the full information of tables, columns etc., related to Advanced hunting.

MS Defender Advanced Hunting using KQL Queries - fig.8
MS Defender Advanced Hunting using KQL Queries – fig.8

Queries in Advanced Hunting

Let’s check the Queries detail in Advanced Hunting. There are different Queries in the Advanced hunting, such as shared queries, my queries etc. You can easily run the Query by right-clicking on the 3 dots, and it shows the options such as Open in the query editor, Rename and Delete. Select Open in the query editor. It will show the query details. Click the Run Query button it will show different results.

MS Defender Advanced Hunting using KQL Queries - fig.9
MS Defender Advanced Hunting using KQL Queries – fig.9

After clicking one of the Results from a Query window, you will get all the details, such as Device Management, Active alert, and alert incidents. In the alert incident, you can access all the details related to that device if you go in. You have your custom queries.

MS Defender Advanced Hunting using KQL Queries - fig.10
MS Defender Advanced Hunting using KQL Queries – fig.10

Detection Rules

Custom detection rules help you to design and tweak using advanced hunting queries. These rules help you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints.

MS Defender Advanced Hunting using KQL Queries - fig.11
MS Defender Advanced Hunting using KQL Queries – fig.11

Advanced Hunting Query Builder

Advanced Hunting Query Builder is nothing but a KQL query builder. In the Create a new section, you can see 2 options “Query in editor” and “Query in builder“. Query in the builder is one option if you are unfamiliar with KQL queries. First, you must select the Domains, including All domains, Endpoints, Apps and identities – Active log.

  • Then you would select the sample queries.
  • Filter option is also available in the Query in the builder.
  • Enable the “All filters” option by toggling the pane to the right side
  • Add filter options and Run the Query
MS Defender Advanced Hunting using KQL Queries - fig.12
MS Defender Advanced Hunting using KQL Queries – fig.12

How to Edit in KQL

Editing in KQL (Kusto Query Language) involves changing or modifying existing queries. You should first open the KQL query and click the Edit in KQL option from the below window. Run the Query and see the results in the result section.

MS Defender Advanced Hunting using KQL Queries - fig.13
MS Defender Advanced Hunting using KQL Queries – fig.13

Understand the KQL Query

Let’s understand the KQL query; there is a timestamp, which filters on processes. All those details are available in the Query. So in the results, you can see the timestamp, device name, initiating process, file name etc. If you click on one of the devices from the result, you will be again able to see all the details, alerts, incidents etc.

MS Defender Advanced Hunting using KQL Queries - fig.14
MS Defender Advanced Hunting using KQL Queries – fig.14

Save Queries

Let’s check how to Save some of the queries. Click the Save button and select the “Save as” option from Save. In the pop-up window, you would provide a Name for the Query and give a Location for the Query. Click the Save button.

MS Defender Advanced Hunting using KQL Queries - fig.15
MS Defender Advanced Hunting using KQL Queries – fig.15

Learn the advanced hunting query language in Microsoft 365 Defender | Microsoft Learn

Author

About Author Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.