跨设备、电子邮件、应用和标识搜索威胁
适用于:
- Microsoft Defender XDR
Microsoft Defender XDR中的高级搜寻允许你主动搜寻威胁:
- 由 Microsoft Defender for Endpoint 管理的设备
- 由 Microsoft 365 处理的电子邮件
- Microsoft Defender for Cloud Apps和Microsoft Defender for Identity跟踪的云应用活动、身份验证事件和域控制器活动
借助此级别的可见性,可以快速搜寻遍历网络部分的威胁,包括电子邮件或 Web 上到达的复杂入侵、提升本地特权、获取特权域凭据,以及跨设备横向移动到的威胁。
下面是基于各种搜寻方案的常规技术和示例查询,可帮助你探索在搜寻此类复杂威胁时如何构造查询。
获取实体信息
使用这些查询来了解如何快速获取有关用户帐户、设备和文件的信息。
从电子邮件地址获取用户帐户
在跨 涵盖设备和电子邮件的表构造查询时,可能需要从发件人或收件人电子邮件地址获取用户帐户名称。 通常,可以使用电子邮件地址中的 本地主机 对收件人或发件人地址执行此操作。
在下面的代码片段中,我们使用 tostring () Kusto 函数在 列 RecipientEmailAddress
中从收件人电子邮件地址之前@
提取本地主机。
//Query snippet showing how to extract the account name from an email address
AccountName = tostring(split(RecipientEmailAddress, "@")[0])
以下查询显示了如何使用此代码片段:
EmailEvents
| where Timestamp > ago(7d)
| project RecipientEmailAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
合并 IdentityInfo 表
可以通过合并或联接 IdentityInfo 表来获取帐户名称和其他帐户信息。 下面的查询从 EmailEvents 表中 获取网络钓鱼和恶意软件检测列表,然后将该信息与 IdentityInfo
该表联接,以获取有关每个收件人的详细信息。
EmailEvents
| where Timestamp > ago(7d)
//Get email processing events where the messages were identified as either phishing or malware
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
//Merge email events with identity info to get recipient details
| join (IdentityInfo | distinct AccountUpn, AccountDisplayName, JobTitle,
Department, City, Country) on $left.RecipientEmailAddress == $right.AccountUpn
//Show important message and recipient details
| project Timestamp, NetworkMessageId, Subject, ThreatTypes,
SenderFromAddress, RecipientEmailAddress, AccountDisplayName, JobTitle,
Department, City, Country
观看此简短视频,了解如何使用Kusto 查询语言联接表。
获取设备信息
高级搜寻架构在各种表中提供广泛的设备信息。 例如, DeviceInfo 表 根据定期聚合的事件数据提供全面的设备信息。 此查询使用 DeviceInfo
表来检查 () 的潜在入侵用户<account-name>
是否已登录到任何设备,然后列出在这些设备上触发的警报。
提示
此查询使用 kind=inner
指定 内部联接,从而防止删除 的 DeviceId
左侧值。
DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
获取文件事件信息
使用以下查询获取有关文件相关事件的信息。
DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(1d)
) on DeviceId
| take 10
获取网络事件信息
使用以下查询获取有关网络相关事件的信息。
DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1d)
) on DeviceId
| take 10
获取设备代理版本信息
使用以下查询获取在设备上运行的代理版本。
DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(1d)
) on DeviceId
| take 10
macOS 设备的示例查询
使用以下示例查询查看运行 macOS 且版本早于 Catalina 的所有设备。
DeviceInfo
| where Timestamp > ago(1d)
| where OSPlatform == "macOS" and OSVersion !contains "10.15" and OSVersion !contains "11."
| summarize by DeviceId
| join kind=inner (
DeviceInfo
| where Timestamp > ago(1d)
) on DeviceId
| take 10
获取设备状态信息
使用以下查询获取设备的状态。 在以下示例中,查询将检查设备是否已载入。
DeviceInfo
| where Timestamp > ago(1d)
| where OnboardingStatus != "Onboarded"
| summarize by DeviceId
| join kind=inner (
DeviceInfo
| where Timestamp > ago(1d)
) on DeviceId
| take 10
搜寻方案
列出收到未成功点击的电子邮件的用户的登录活动
零小时自动清除 (ZAP) 收到恶意电子邮件后进行处理。 如果 ZAP 失败,恶意代码最终可能会在设备上运行,并导致帐户遭到入侵。 此查询检查 ZAP 未成功解决的电子邮件收件人进行的登录活动。
EmailPostDeliveryEvents
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfully
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
获取凭据被盗所针对的域帐户的登录尝试
此查询首先标识表中的所有 AlertInfo
凭据访问警报。 然后,它将合并或联接 AlertEvidence
表,该表分析的目标帐户的名称,并仅筛选已加入域的帐户。 最后,它会检查表以获取 IdentityLogonEvents
已加入域的目标帐户的所有登录活动。
AlertInfo
| where Timestamp > ago(30d)
//Get all credential access alerts
| where Category == "CredentialAccess"
//Get more info from AlertEvidence table to get the SID of the target accounts
| join AlertEvidence on AlertId
| extend IsJoined=(parse_json(AdditionalFields).Account.IsDomainJoined)
| extend TargetAccountSid=tostring(parse_json(AdditionalFields).Account.Sid)
//Filter for domain-joined accounts only
| where IsJoined has "true"
//Merge with IdentityLogonEvents to get all logon attempts by the potentially compromised target accounts
| join kind=inner IdentityLogonEvents on $left.TargetAccountSid == $right.AccountSid
//Show only pertinent info, such as account name, the app or service, protocol, the accessed device, and type of logon
| project AccountDisplayName, TargetAccountSid, Application, Protocol, DeviceName, LogonType
检查来自已知恶意发件人的文件是否位于你的设备上
假设你知道发送恶意文件的电子邮件地址 () MaliciousSender@example.com
,则可以运行此查询来确定设备上是否存在来自此发件人的文件。 例如,可以使用此查询来识别受恶意软件分发活动影响的设备。
EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
//Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
查看收到恶意电子邮件后的登录尝试
此查询查找电子邮件收件人在收到已知恶意电子邮件后的 30 分钟内执行的 10 次最新登录。 可以使用此查询来检查电子邮件收件人的帐户是否已泄露。
//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10
在收到来自已知恶意发件人的电子邮件后查看 PowerShell 活动
恶意电子邮件通常包含运行 PowerShell 命令以提供其他有效负载的文档和其他特制附件。 如果你知道来自已知恶意发件人的电子邮件 (MaliciousSender@example.com
) ,则可以使用此查询列出和查看在收到发件人的电子邮件后 30 分钟内发生的 PowerShell 活动。
//Define new table for emails from specific sender
let EmailsFromBadSender=EmailEvents
| where SenderFromAddress =~ "MaliciousSender@example.com"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
//Merge emails from sender with process-related events on devices
EmailsFromBadSender
| join (
DeviceProcessEvents
//Look for PowerShell activity
| where FileName =~ "powershell.exe"
//Add line below to check only events initiated by Outlook
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
//Check only PowerShell activities within 30 minutes of receipt of an email
| where (TimeProc - TimeEmail) between (0min.. 30min)
相关主题
提示
想要了解更多信息? 请在我们的技术社区中与 Microsoft 安全社区互动:Microsoft Defender XDR 技术社区。