Edit

Advanced hunting example for Microsoft Defender for Office 365

  • Article

Note

Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

Want to get started searching for email threats using advanced hunting? Try this:

The Getting Started section of the Microsoft Defender for Office 365 article has logical early configuration chunks that look like this:

  1. Configure everything with 'Anti' in the name.
    • Anti-malware
    • Anti-phishing
    • Anti-spam
  2. Set up everything with 'Safe' in the name.
    • Safe Links
    • Safe Attachments
  3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams).
  4. Protect with zero-Hour auto purge.

Along with a link to jump right in and get configuration going on Day 1.

The last step in Getting Started is protecting users with Zero-Hour auto purge, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.

Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps here, under Hunting > Advanced Hunting.

  1. On the Advanced Hunting page, click Query.
  2. Copy the query below into the query window.
  3. Select Run query.
EmailPostDeliveryEvents 
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress 
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn, 
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType

The Advanced hunting page (under Hunting) with Query selected at the top of the query panel, and running a Kusto query to capture ZAP actions over the last 7 days.

The data from this query will appear in the results panel below the query itself. Results include information like 'DeviceName', 'AccountDisplayName', and 'ZapTime' in a customizable result set. Results can also be exported for your records. If the query is one you'll need again, select Save > Save As and add the query to your list of queries, shared, or community queries.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft 365 Defender Tech Community.