### Get latest device information Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceinfo-table This query retrieves the most recent information for a specific device by summarizing the DeviceInfo table based on the latest IngestionTime. It filters for a device named 'example' and ensures the OSPlatform is not empty. ```kusto // Get latest information on user/device DeviceInfo | extend IngestionTime = ingestion_time() | where DeviceName == "example" and isnotempty(OSPlatform) | summarize arg_max(IngestionTime, *) by DeviceId ``` -------------------------------- ### Example GET request for incident information Source: https://learn.microsoft.com/en-us/defender-xdr/api-get-incident This is an example of an HTTP GET request to retrieve incident information using the API. Replace '{id}' with the specific incident ID you want to query. ```http GET https://api.security.microsoft.com/api/incidents/{id} ``` -------------------------------- ### Example: Obtain list of onboarded devices that have seen a device Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-seenby-function This example demonstrates how to use the SeenBy() function to find devices that have seen a specific device, by first filtering the DeviceInfo table. ```APIDOC ## Example: Obtain list of onboarded devices that have seen a device ```kusto DeviceInfo | where OnboardingStatus <> "Onboarded" | limit 100 | invoke SeenBy() ``` ``` -------------------------------- ### Get an access token using curl Source: https://learn.microsoft.com/en-us/defender-xdr/api-create-app-web This command-line example shows how to obtain an access token using curl by sending a POST request with client credentials to the OAuth 2.0 token endpoint. ```APIDOC ## Get an access token using curl ### Description Use this curl command to obtain an access token by providing your client ID, client secret, and tenant ID. The `scope` parameter is set to `https://api.security.microsoft.com/.default` for accessing all available permissions. ### Command ```bash curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://api.security.microsoft.com/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k ``` ### Example Response ```json { "token_type": "Bearer", "expires_in": 3599, "ext_expires_in": 0, "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA" } ``` ``` -------------------------------- ### CSL File Comments Example Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-expert-training This snippet shows how comments are used in a CSL file to describe tables and their contents. Comments start with '//'. ```kusto // DeviceLogonEvents // A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint // Contains // - Account information associated with the logon // - The device which the account logged onto // - The process which performed the logon // - Network information (for network logons) // - Timestamp ``` -------------------------------- ### Running Advanced Hunting Queries Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-expert-training This example demonstrates how to run specific queries from a text file containing multiple queries and comments. Place the cursor on the desired query and select 'Run query'. ```kusto DeviceLogonEvents | count // DeviceLogonEvents // A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint // Contains // - Account information associated with the logon // - The device which the account logged onto // - The process which performed the logon // - Network information (for network logons) // - Timestamp CloudAppEvents | take 100 | sort by Timestamp desc ``` -------------------------------- ### List Incidents API Request Source: https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents This is an example of an HTTP GET request to the incidents API endpoint. It is used to retrieve a list of incidents. ```http GET https://api.security.microsoft.com/api/incidents ``` -------------------------------- ### Check Kubernetes Network Plugins Source: https://learn.microsoft.com/en-us/defender-xdr/investigate-respond-container-threats Run this command in the Cloud Shell to identify supported network plugins like azure-npm, calico-node, cilium, or aws-node. An empty result indicates that no supported plugin is installed. ```bash kubectl get pods --all-namespaces -o json | jq -r '.items[].metadata.labels["k8s-app"]' | uniq | grep -E 'azure-npm|calico-node|cilium|aws-node' | head -n 1 ``` -------------------------------- ### Get Device Status Info (Onboarding Status) Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-query-emails-devices Checks the onboarding status of devices by querying the DeviceInfo table within the last day and identifying devices that are not 'Onboarded'. ```Kusto DeviceInfo | where Timestamp > ago(1d) | where OnboardingStatus != "Onboarded" | summarize by DeviceId | join kind=inner ( DeviceInfo | where Timestamp > ago(1d) ) on DeviceId | take 10 ``` -------------------------------- ### Get Network Event Information Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-query-emails-devices Retrieves information on network-related events from the DeviceInfo and DeviceNetworkEvents tables within the last day, filtering for devices with a client version starting with '20.1'. ```Kusto DeviceInfo | where Timestamp > ago(1d) | where ClientVersion startswith "20.1" | summarize by DeviceId | join kind=inner ( DeviceNetworkEvents | where Timestamp > ago(1d) ) on DeviceId | take 10 ``` -------------------------------- ### Start Advanced Hunting Query Source: https://learn.microsoft.com/en-us/defender-xdr/pilot-deploy-investigate-respond Begin an advanced hunting query by selecting the EmailEvents table. This is the initial step to gather email-related data. ```kql EmailEvents ``` -------------------------------- ### Get File Event Information Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-query-emails-devices Retrieves information on file-related events from the DeviceInfo and DeviceFileEvents tables within the last day, filtering for devices with a client version starting with '20.1'. ```Kusto DeviceInfo | where Timestamp > ago(1d) | where ClientVersion startswith "20.1" | summarize by DeviceId | join kind=inner ( DeviceFileEvents | where Timestamp > ago(1d) ) on DeviceId | take 10 ``` -------------------------------- ### Optimize summarize with shuffle hint for high cardinality Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices Apply the `hint.shufflekey` with `summarize` to distribute processing load and improve performance when operating on columns with high cardinality, such as recipient email addresses. ```kusto EmailEvents | where Timestamp > ago(1h) | summarize hint.shufflekey = RecipientEmailAddress count() by Subject, RecipientEmailAddress ``` -------------------------------- ### Get Access Token using MSAL.PS in PowerShell Source: https://learn.microsoft.com/en-us/defender-xdr/api-create-app-user-context Install the MSAL.PS module and use it to acquire an access token for delegated permissions. Ensure you replace placeholder values for TenantId and AppClientId. ```PowerShell Install-Module -Name MSAL.PS # Install the MSAL.PS module from PowerShell Gallery $TenantId = " " # Paste your directory (tenant) ID here. $AppClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # Paste your application (client) ID here. $MsalParams = @{ ClientId = $AppClientId TenantId = $TenantId Scopes = 'https://graph.microsoft.com/User.Read.All','https://graph.microsoft.com/Files.ReadWrite','https://api.securitycenter.windows.com/AdvancedQuery.Read' } $MsalResponse = Get-MsalToken @MsalParams $AccessToken = $MsalResponse.AccessToken $AccessToken # Display the token in PS console ``` -------------------------------- ### Check New Connector Creation (KQL) Source: https://learn.microsoft.com/en-us/defender-xdr/alert-classification-malicious-exchange-connectors Use this KQL query to identify newly created inbound connectors within a specified time window. Adjust 'timeWindow' to modify the lookback period. ```kql let timeWindow = now(-7d); let timeNow = now(); CloudAppEvents | where Timestamp between (timeWindow .. timeNow) | where isnotempty(AccountObjectId) | where ActionType == "New-InboundConnector" | mvexpand property = RawEventData.Parameters | extend ConnectorName = iff(property.Name == "Name", property.Value, ""), IsEnabled = iff((property.Name == "Enabled" and property.Value == "True"), true, false) | where isnotempty( ConnectorName) or IsEnabled | project-reorder ConnectorName, IsEnabled ``` -------------------------------- ### Describe the query and specify the tables to search Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-query-language A comment at the beginning of a query explains its purpose, which is helpful for documentation and sharing. ```Kusto // Finds PowerShell execution events that could involve a download ``` -------------------------------- ### Get latest devices for specific IP addresses Source: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicefromip-function Use this example to find the most recent devices assigned to specific IP addresses. It filters network events, extracts local IP addresses, and then invokes the DeviceFromIP() function. ```kusto DeviceNetworkEvents | limit 100 | project IP = LocalIP | invoke DeviceFromIP() ```