DefenderXDR Advanced Hunting All-In-One IP Search
Steven Lim
Favikon Top Cybersecurity / IT & Tech LinkedIn Creators | VP | Director | KQLWizard
This KQL query searches across these DefenderXDR log tables for the ip variable that is defined at the start:
AADSignInEventsBeta, AADSignInEventsBeta, CloudAppEvents, IdentityLogonEvents, UrlClickEvents, DeviceNetworkInfo, CloudAuditEvents, DeviceFileEvents, AlertEvidence, BehaviorEntities, DeviceEvents, DeviceLogonEvents, DeviceNetworkEvents, EmailEvents, DeviceInfo and ExposureGraphNodes
You can replace the ago(1d) & now() with more precise datetime(2024-03-31 23:59:59.9) if you know the search time frame.
You can click here to load the KQL query directly into your DefenderXDR Advanced Hunting. Enjoy! ??
let ip = "223.171.89.199"; // Sample Malicious IP
search in (AADSignInEventsBeta, AADSignInEventsBeta, CloudAppEvents, IdentityLogonEvents, CloudAuditEvents, UrlClickEvents, DeviceNetworkInfo, CloudAuditEvents, DeviceFileEvents, AlertEvidence, ExposureGraphNodes, BehaviorEntities, DeviceEvents, DeviceLogonEvents, DeviceNetworkEvents, EmailEvents, DeviceInfo)
Timestamp between (ago(7d) .. now())
and (
// AADSignInEventsBeta AADSpnSignInEventsBeta CloudAppEvents IdentityLogonEvents
// UrlClickEvents DeviceNetworkInfo CloudAuditEvents
IPAddress == ip
// DeviceFileEvents
or RequestSourceIP == ip
// AlertEvidence BehaviorEntities DeviceEvents DeviceLogonEvents DeviceNetworkEvents
or RemoteIP == ip
// DeviceEvents DeviceFileEvents
or FileOriginIP == ip
// EmailEvents
or SenderIPv4 == ip
// IdentityLogonEvents
or DestinationIPAddress == ip
// DeviceInfo
or PublicIP == ip
// AlertEvidence BehaviorEntities DeviceEvents DeviceNetworkEvents
or LocalIP == ip
// ExposureGraphNodes
or NodeProperties.rawData.publicIP == ip
)
Do support this article if you find the KQL useful and repost for sharing with the wider cyber defender community.
?? ?????????? ?????? ???????? ?????????? ???? ???? ???????????????? ?????????????? ?????? ???????? futures ?????????????? to the??The KQL Grimoire??!
#Microsoft #Sentinel #DefenderXDR #KQL #ThreatDetection #ThreatHunting #CyberSecurity #CyberDefender
Consultor Sênior de Cyber Defense (Threat Hunting) na ISH Tecnologia | Expertise em Seguran?a Cibernética
10 个月Thanks for sharing
Architect - Identity and Security at Microsoft
10 个月Insightful!