Building queries for Microsoft 365 Defender or Microsoft Sentinel could be challenging, especially when there are complex requirements which obligate mazelike table data.

Be that as it may, it is important to keep a set of simple queries handy to be used immediately in case threat hunting or detecting is required to take place.

As presented through the query below, it is important to remember that KQL queries are build upon a simple principle: choose data – filter – present.

SigninLogs                              // Choose table
| TimeGenerated >= ago(7d)              // Set timeframe 
| where RiskLevelDuringSignIn == 'none' // Filter
| summarize Count = count() by city     // Summarize
| sort by Count desc                    // Sort
| take 5                                // Select

Reference

Before diving into the queries, please consider visiting my GitHub repo where I store queries built for many purposes including threat hunting and detecting.

Destination IP (with Port) or URL

If you are worried that endpoints might have contacted an IP (probably a CnC server) or a phishing URL, the following queries will do the job, just provide the IP address or the URL accordingly.

DeviceNetworkEvents 
| where RemoteIP == "insert destination IPv4 address here"
// optional filter if you want to define destination port as well
// | where RemotePort == "insert destination port number here"

DeviceNetworkEvents 
| where RemoteUrl has "insert URL here"

Email sender

If you are investigating a possible malware delivery through email, you can choose between SenderFromAddress, SenderIPv4 and SenderMailFromAddress to identify the spread of emails to other mailboxes:

• SenderFromAddress is the email address in the FROM header, which is visible to email recipients on their email clients
• SenderIPv4 is the sending server’s IP address
• SenderMailFromAddress is the email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address

EmailEvents
// Choose one or more of the following options to detect malicious email deliveries
| where SenderFromAddress has "insert sender email here"
| where SenderIPv4 == "insert sending server IP here"
| where SenderMailFromAddress has "insert envelope sender email here"

Email attachment

If you already know the SHA256 hash of a malicious email attachment, the following query will detect relevant email deliveries.

EmailAttachmentInfo
| where SHA256 == "insert SHA256 hash here"

Local user sign in

If you are looking for a sign in activity in a local host based on a user or the host, the following query will do the job.

DeviceLogonEvents
// Choose to see local sign ins by host, or by username
// If you know the exact device name, you may use "has" instead of "contains"
| where DeviceName contains "insert part of device name here" 
| where AccountName == "insert the username here"

Cloud user sign in

There are cases where you might need to look into suspicious sign ins, an IP address or a source country accessing your Microsoft Cloud environment could be an incident precursor.

AADSignInEventsBeta 
| where IPAddress == "insert suspicious IP address here"
// To choose the Country, insert the ISO 3166 country code [https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes]
| where Country == "insert ISO country code"

File hash

If you need to search for a specific file hash, whether you have SHA256, SHA1 or MD5, you can use the following query to hunt.

DeviceFileEvents
// Replace SHA256 with SHA1 or MD5, depending on what you have available
| where SHA256 == "insert hash here"

Process injection

If you have a clue of a malicious activity involving process injection, or if you would like to hunt following a report you might have gone through, the following query could help you in your quest.

DeviceProcessEvents 
| where InitiatingProcessParentFileName contains "insert filename here"
| where InitiatingProcessFileName contains "insert filename here"

Closing remarks

The queries above, are the absolute basics. You can also consider others as well as fundamentals, but that depends on your environment setup. These queries should be on the back of your head for some quick searches, in case you are into some incident analysis and hunting. They could also be saved at your “Saved Queries” tab at Microsoft 365 Defender Advanced Hunting blade.

Hunting is a continuous process which involves a framework for development and consists of elements such as your environment, your risks, your possible attackers etc. You may find more on how to approach a framework like this, at my GitHub repo where I present both Microsoft’s and MITRE ATT&CK methodology.

Good luck hunting!