Get expert training on advanced hunting
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender XDR
Boost your knowledge of advanced hunting quickly with Tracking the adversary, a webcast series for new security analysts and seasoned threat hunters. The series guides you through the basics all the way to creating your own sophisticated queries. Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience.
|Episode 1: KQL fundamentals||This episode covers the basics of advanced hunting in Microsoft Defender XDR. Learn about available advanced hunting data and basic KQL syntax and operators.||YouTube (54:14)||Text file|
|Episode 2: Joins||Continue learning about data in advanced hunting and how to join tables together. Learn about
||YouTube (53:33)||Text file|
|Episode 3: Summarizing, pivoting, and visualizing data||Now that you've learned to filter, manipulate, and join data, it's time to summarize, quantify, pivot, and visualize. This episode discusses the
||YouTube (48:52)||Text file|
|Episode 4: Let's hunt! Applying KQL to incident tracking||In this episode, you learn to track some attacker activity. We use our improved understanding of Kusto and advanced hunting to track an attack. Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response.||YouTube (59:36)||Text file|
Get more expert training with L33TSP3AK: Advanced hunting in Microsoft 365 Defender, a webcast series for analysts looking to expand their technical knowledge and practical skills in conducting security investigations using advanced hunting in Microsoft Defender XDR.
|Episode 1||In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators.||YouTube (56:34)||Text file|
|Episode 2||In this episode, you will learn how to investigate and respond to suspicious or unusual logon locations and data exfiltration via inbox forwarding rules. Sebastien Molendijk, Senior Program Manager for Cloud Security CxE, shares how to use advanced hunting to investigate multi-stage incidents with Microsoft Defender for Cloud Apps data.||YouTube (57:07)||Text file|
|Episode 3||In this episode we will cover the latest improvements to advanced hunting, how to import an external data source into your query, and how to use partitioning to segment large query results into smaller result sets to avoid hitting API limits.||YouTube (40:59)||Text file|
How to use the CSL file
Before starting an episode, access the corresponding text file on GitHub and copy its contents to the advanced hunting query editor. As you watch an episode, you can use the copied contents to follow the speaker and run queries.
The following excerpt from a text file containing the queries shows a comprehensive set of guidance marked as comments with
// DeviceLogonEvents // A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint // Contains // - Account information associated with the logon // - The device which the account logged onto // - The process which performed the logon // - Network information (for network logons) // - Timestamp
The same text file includes queries before and after the comments as shown below. To run a specific query with multiple queries in the editor, move the cursor to that query and select Run query.
DeviceLogonEvents | count // DeviceLogonEvents // A table containing a row for each logon a device enrolled in Microsoft Defender for Endpoint // Contains // - Account information associated with the logon // - The device which the account logged onto // - The process which performed the logon // - Network information (for network logons) // - Timestamp CloudAppEvents | take 100 | sort by Timestamp desc
|Joining tables in KQL||Learn the power of joining tables in creating meaningful results.||YouTube (4:17)|
|Optimizing tables in KQL||Learn how to avoid timeouts when running complex queries by optimizing your queries.||YouTube (5:38)|
- Advanced hunting overview
- Learn the advanced hunting query language
- Work with query results
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.