You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-query-builder.md
+20-20Lines changed: 20 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,15 +44,15 @@ You can watch this video to get an overview of guided hunting:
44
44
45
45
In the **Advanced hunting** page, select **Create new** to open a new query tab and select **Query in builder**.
46
46
47
-
47
+
48
48
49
49
This brings you to the guided mode, where you can then construct your query by selecting different components using dropdown menus.
50
50
51
51
## Specify the data domain to hunt in
52
52
53
53
You can control the scope of the hunt by selecting which domain the query covers:
54
54
55
-
55
+
56
56
57
57
Selecting **All** includes data from all domains you currently have access to. Narrowing down to a specific domain allows filters relevant to that domain only.
58
58
@@ -69,11 +69,11 @@ You can choose from:
69
69
70
70
By default, guided hunting includes a few basic filters to get you started fast.
71
71
72
-
72
+
73
73
74
74
When you choose one data source, for instance, **Endpoints**, the query builder displays only the applicable filter groups. You can then choose a filter you are interested in narrowing down by selecting that filter group, for instance, **EventType**, and selecting the filter of your choice.
75
75
76
-
76
+
77
77
78
78
Once the query is ready, select the blue **Run query** button. If the button is grayed out, it means the query needs to be filled out or edited further.
79
79
@@ -83,18 +83,18 @@ Once the query is ready, select the blue **Run query** button. If the button is
83
83
## Load sample queries
84
84
85
85
Another quick way to get familiar with guided hunting is to load sample queries using the **Load sample queries** dropdown menu.
86
-
86
+
87
87
88
88
> [!NOTE]
89
89
> Selecting a sample query overrides the existing query.
90
90
91
91
Once the sample query is loaded, select **Run query**.
92
92
93
-
93
+
94
94
95
95
If you have previously selected a domain, the list of available sample queries changes accordingly.
96
96
97
-
97
+
98
98
99
99
To restore the complete list of sample queries, select **All domains** then reopen **Load sample queries**.
100
100
@@ -104,17 +104,17 @@ If the loaded sample query uses filters outside of the basic filter set, the tog
104
104
105
105
To view more filter groups and conditions, select **Toggle to see more filters and conditions**.
106
106
107
-
107
+
108
108
109
109
When the **All filters** toggle is active, you can now use the full range of filters and conditions in guided mode.
110
110
111
-
111
+
112
112
113
113
### Create conditions
114
114
115
115
To specify a set of data to be used in the query, select **Select a filter**. Explore the different filter sections to find what is available to you.
116
116
117
-
117
+
118
118
119
119
Type the section's titles in the search box at the top of the list to find the filter. Sections ending in *info* contain filters that provide information about the different components you can look at and filters for the states of entities. Sections ending in *events* contain filters that allow you to look for any monitored event on the entity. For instance, to hunt for activities involving certain devices, you can use the filters under the **Device events** section.
120
120
@@ -123,11 +123,11 @@ Type the section's titles in the search box at the top of the list to find the f
123
123
124
124
Next, set the appropriate condition to further filter the data by selecting it from the second dropdown menu and providing entries in the third dropdown menu if necessary:
125
125
126
-
126
+
127
127
128
128
You can add more conditions to your query by using **AND**, and **OR** conditions. AND returns results that fulfill all conditions in the query, while OR returns results that fulfill any of the conditions in the query.
129
129
130
-
130
+
131
131
132
132
Refining your query allows you to automatically sift through voluminous records to generate a list of results that is already targeted to your specific threat hunting need.
133
133
@@ -139,7 +139,7 @@ Another way to get familiar with guided hunting is to load sample queries pre-cr
139
139
140
140
In the **Getting started** section of the hunting page, we have provided three guided query examples that you can load. The query examples contain some of the most common filters and inputs you would typically need in your hunting. Loading any of the three sample queries opens a guided tour of how you would construct the entry using guided mode.
141
141
142
-
142
+
143
143
144
144
Follow the instructions in the blue teaching bubbles to construct your query. Select **Run query**.
145
145
@@ -149,33 +149,33 @@ Follow the instructions in the blue teaching bubbles to construct your query. Se
149
149
150
150
To hunt for successful network communications to a specific IP address, start typing "ip" to get suggested filters:
151
151
152
-
152
+
153
153
154
154
To look for events involving a specific IP address where the IP is the destination of the communication, select `DestinationIPAddress` under the IP Address Events section. Then select the **equals** operator. Type the IP in the third dropdown menu and press **Enter**:
155
155
156
-
156
+
157
157
158
158
Then, to add a second condition which searches for successful network communication events, search for the filter of a specific event type:
159
159
160
-
160
+
161
161
162
162
The **EventType** filter looks for the different event types logged. It is equivalent to the **ActionType** column which exists in most of the tables in advanced hunting. Select it to choose one or more event types to filter for. To look for successful network communication events, expand the **DeviceNetworkEvents** section and then choose `ConnectionSuccess`:
163
163
164
-
164
+
165
165
166
166
Finally, select **Run query** to hunt for all successful network communications to the 52.168.117.170 IP address:
167
167
168
-
168
+
169
169
170
170
### Hunt for high confidence phish or spam emails delivered to inbox
171
171
172
172
To look for all high confidence phish and spam emails that were delivered to the inbox folder at the time of delivery, first select **ConfidenceLevel** under Email Events, select **equals** and choose **High** under both **Phish** and **Spam** from the suggested closed list which supports multi-selection:
173
173
174
-
174
+
175
175
176
176
Then, add another condition, this time specifying the folder or **DeliveryLocation, Inbox/folder**.
177
177
178
-
178
+
0 commit comments