Get expert training on advanced hunting

Note

Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

Boost your knowledge of advanced hunting quickly with Tracking the adversary, a webcast series for new security analysts and seasoned threat hunters. The series guides you through the basics all the way to creating your own sophisticated queries. Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience.

Title Description Watch Queries
Episode 1: KQL fundamentals This episode covers the basics of advanced hunting in Microsoft Defender XDR. Learn about available advanced hunting data and basic KQL syntax and operators. YouTube (54:14) Text file
Episode 2: Joins Continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and understand the nuances of the default Kusto innerunique join. YouTube (53:33) Text file
Episode 3: Summarizing, pivoting, and visualizing data Now that you've learned to filter, manipulate, and join data, it's time to summarize, quantify, pivot, and visualize. This episode discusses the summarize operator and various calculations, while introducing additional tables in the schema. You'll also learn to turn datasets into charts that can help you extract insight. YouTube (48:52) Text file
Episode 4: Let's hunt! Applying KQL to incident tracking In this episode, you learn to track some attacker activity. We use our improved understanding of Kusto and advanced hunting to track an attack. Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. YouTube (59:36) Text file

Get more expert training with L33TSP3AK: Advanced hunting in Microsoft Defender XDR, a webcast series for analysts looking to expand their technical knowledge and practical skills in conducting security investigations using advanced hunting in Microsoft Defender XDR.

Title Description Watch Queries
Episode 1 In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. YouTube (56:34) Text file
Episode 2 In this episode, you will learn how to investigate and respond to suspicious or unusual logon locations and data exfiltration via inbox forwarding rules. Sebastien Molendijk, Senior Program Manager for Cloud Security CxE, shares how to use advanced hunting to investigate multi-stage incidents with Microsoft Defender for Cloud Apps data. YouTube (57:07) Text file
Episode 3 In this episode we will cover the latest improvements to advanced hunting, how to import an external data source into your query, and how to use partitioning to segment large query results into smaller result sets to avoid hitting API limits. YouTube (40:59) Text file

How to use the CSL file

Before starting an episode, access the corresponding text file on GitHub and copy its contents to the advanced hunting query editor. As you watch an episode, you can use the copied contents to follow the speaker and run queries.

The following excerpt from a text file containing the queries shows a comprehensive set of guidance marked as comments with //.

// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp

The same text file includes queries before and after the comments as shown below. To run a specific query with multiple queries in the editor, move the cursor to that query and select Run query.

DeviceLogonEvents
| count

// DeviceLogonEvents
// A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint
// Contains
// - Account information associated with the logon
// - The device which the account logged onto
// - The process which performed the logon
// - Network information (for network logons)
// - Timestamp

CloudAppEvents
| take 100
| sort by Timestamp desc

Other resources

Title Description Watch
Joining tables in KQL Learn the power of joining tables in creating meaningful results. YouTube (4:17)
Optimizing tables in KQL Learn how to avoid timeouts when running complex queries by optimizing your queries. YouTube (5:38)

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.