Category: Cyber Security
-
Microsoft XDR Hunting Query – Events from Suspicious IP Address
This script allows you to view events that occurred from suspicious email address. I generally use this script when investigating alerts regarding Password Spray Attacks, Anonymous IP Address or Atypical Travel. Changing the timestamp allows you to view a larger time frame. let ip = “Insert IP ADDRESS”; search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,EmailEvents,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents, DeviceLogonEvents,DeviceEvents,BehaviorEntities,CloudAppEvents,AADSpnSignInEventsBeta,AADSignInEventsBeta) Timestamp between (ago(7d)…
-
Microsoft XDR Hunting Query – Local Accounts
This is a script I run periodically to hunt down any local accounts on organisational devices. It returns with the device name, the name of the local accounts with admin and the amount of accounts present on the device. Removing the timestamp and adjusting the timestamp manually allows you to narrow down when the account…
-
Microsoft XDR Hunting Query – Email Threats
This KQL script provides graphical analysis of email threats in your environment. It uses EmailAction to identify ThreatTypes such as Malware, Phish and Quarantine. It then shows you graphically how many email threats are present and you can use the time parameter to adjust the timespan. let Threshold = 50; EmailEvents | where EmailAction ==…
David Williams Technical 