Tag Archive: Threat Hunting

Take actions from Threat Hunting in M365 Defender

We wrote a blog post earlier about the news in threat hunting

New features in Advanced Hunting – Microsoft 365 Defender – SEC-LABS R&D

Another feature in hunting, which will speed up responses from a threat hunting scenario is Take Action

When selecting a record in the result, the Take Action button will be visible as seen in below picture

take actions, m365 defender

So instead of just creating a new incident or adding events to an existing incident we can take actions from the hunting experience.

In the Take actions experience we have actions grouped by Devices, Files and Users.

actionable items, m365 defender

The action options available is dependent on the data in the result. For instance, file information like checksum is required to being able to quarantine a file.

When clicking Next we can see the target selected and click Next

We can add a Remediation name and Description for our action

This feature enables a rapid response at the fingertips of the threat hunters for immediate actions

For further information, please visit

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-worldwide

Happy Hunting!

Sec-Labs Team

Becoming a Sentinel Notebooks Ninja – training links

Do you want to learn more about Sentinel Notebooks (built on Jupyter Notebooks)? Microsoft have released a set of trainings to skill up in the area

Notebooks can be useful for cross tenant hunting and also cross product and multiple data sources if needed.

They can also be interactive in terms of a manual playbook with steps mixed with queries and graphs which would make it easy to follow through.

Sorry for the short blog post, but this one is about sharing content

Happy Hunting!

Use kusto to breakdown time stamps

Some times you might want to split the time stamp of an event into smaller pieces, like month, day, hour etc.

For instance, you might want to see if you have more alerts during some specific hours of the day or if anyone is using RDP in the middle of the night.

To achieve this we use the function datetime_part which can split the time stamp to the following parts

  • Year
  • Quarter
  • Month
  • week_of_year
  • Day
  • DayOfYear
  • Hour
  • Minute
  • Second
  • Millisecond
  • Microsecond
  • Nanosecond

This data could, of course, be used to further analysis and joined with other events.

//Sample query
AlertInfo
| extend alerthour = datetime_part("hour", Timestamp)
| summarize count() by alerthour, DetectionSource
| sort by alerthour asc
| render areachart   

For further reading about Kusto datetime_part, please visit
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-partfunction

#HappyHunting