Advanced Threat Hunting in Microsoft 365 Security
Discover useful information from all 4 Microsoft 365 Defender menus.
All the logs available in Microsoft 365 Defender products can be found in the Hunting menu in Microsoft 365 Security. If the user knows KQL, they can find all sorts of useful information about their cloud products like cloud app activity, device activity, and information from logs around the time of security incidents.
In this blog, we show how an analyst can use all the logs available in the Hunting menu to find useful information about their cloud security products. We will also discuss examples of how analysts at CyberMSI have used this information to enhance their work in customer environments.
Alerts
The Alerts tables have a record of alerts generated by all 4 Microsoft 365 Defender platforms. This information is useful for learning more about alerts that are being investigated as part of an incident.
Since incidents cannot be queried on their own, analysts doing investigations will have to query the associated alerts instead. Analysts can also use this information to find additional information and trends about alerts that are happening in each Microsoft 365 Defender product.
Apps (MCAS)
There are 2 tables in the “Apps & Identities” section that have all available logs from Microsoft Cloud App Security (MCAS). These tables are useful for discovering more about cloud app activity, but they are not tied directly to alerts within MCAS which makes them tricky to use. Analysts can use this table to help with investigating advanced or low information incidents coming from MCAS.
Identities (User Information and MDI)
Most of the tables in the “Apps & Identities” section have information about identity in Microsoft 365 Defender products. These tables are useful for finding more information about who was involved in an incident and for learning more about the timeline of an incident.
There are also tables for Azure Active Directory activity that analysts can use when looking for more details about an incident in Microsoft Defender for Identity.
Emails (Defender for Office 365)
These tables are used to query information collected by Defender for Office 365 about emails. These tables can be used to discover more about incidents that involve phishing emails and email attachments. More tables for Defender for Office 365 will likely be added in the future that have information about malicious activity on other Office 365 applications like Teams, SharePoint, and OneDrive.
Devices (MDE)
The tables in the “Device” section are all tables that analysts can query to find log information about endpoints connected to MDE. These tables are useful for more complex MDE incident investigations because they can be used to find information that is not normally available in the MDE UI like events from the event log, network events, and process events.
Threat & Vulnerability Management
The TVM logs allow analysts and security admins to learn more about the configurations that TVM discovers about devices connected to MDE. These tables can be used by analysts to find information about vulnerabilities that lead to an incident. These tables can be used by security admins to find trends in vulnerabilities in their environment.
We will continue to share best practices and lessons learned in future posts on advanced threat hunting. CyberMSI is constantly finding new and useful ways to use log data from Microsoft cloud security products.
In closing, consider these three questions when using 365 Security advanced threat hunting in your organization:
- Do our analysts have a strong enough understanding of KQL to get useful data out of these logs?
- What information are we missing from the UIs that we can potentially find using these logs?
- What guidance do we need to provide to our analysts so that they do not spend excessive time querying small details?