Microsoft 365 Defender Advanced Hunting
Microsoft 365 Defender Advanced Hunting is a cloud-based service that allows you to perform advanced investigations and hunting for threats in your Microsoft 365 environment. With access to a rich set of data sources and advanced search capabilities, you can identify threats that might not be detected by other security tools. Exchange Online Activities with Microsoft 365 Defender is recommended to do once.
Table of Contents
Key features of Microsoft 365 Defender Advanced Hunting include the ability to search across a wide range of data sources, use advanced query language (Kusto Query Language), collaborate with other security professionals, and integrate with other security tools.
What is Kusto Query Language?
Kusto Query Language (KQL) is a powerful query language that is used to search and analyze data in the Microsoft 365 Defender Advanced Hunting service. It allows you to create complex queries and analyze data in real-time, making it an essential tool for advanced investigations and hunting for threats in your Microsoft 365 environment.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/
Some of the key features of KQL include:
- Syntax: KQL has a simple and intuitive syntax, making it easy to learn and use.
- Data types: KQL supports a wide range of data types, including strings, numbers, and dates, which makes it well-suited for working with a variety of data sources.
- Operators: KQL provides a variety of operators that you can use to filter, group, and transform data.
- Functions: KQL includes a number of built-in functions that you can use to perform various operations on data, such as calculating averages, sums, and counts.
Monitor Exchange Online Activities
There are many Community Samples Queries already builed.
E-Mails DeliveryAction from the Last 30 Days
EmailEvents
| where EmailDirection == "Inbound"
| summarize count () by bin(Timestamp, 1d), DeliveryAction
| render linechart 
E-Mail Attachment Info from the Last 30 Days
EmailAttachmentInfo
| summarize count () by bin(Timestamp, 1d), FileType
| render linechart 
When you disable the pink Line witch is the Attachment Type “png” it looks like this:
So what we now see is that “jpeg” and “pdf” (the huge ones) are the most Attachment File Type in the Organization. With this information you can do now no matter what, I found it very exciting in the testing. Possible findings are that users send too many Word or Excel files instead of PDF files.
Conclusion
In conclusion, Microsoft 365 Defender Advanced Hunting is a powerful tool that provides advanced threat investigation and hunting capabilities for your Microsoft 365 environment. With access to a wide range of data sources and advanced search capabilities, you can identify and respond to threats that might not be detected by other security tools.
If you want to improve your organization’s security posture and protect your data from threats, Microsoft 365 Defender Advanced Hunting is an excellent resource. It provides the data and tools you need to identify and respond to threats in your Microsoft 365 environment, helping you keep your organization secure. Questions
