跨设备、电子邮件、应用和标识搜索威胁

适用于：

• Microsoft Defender XDR

Microsoft Defender XDR中的高级搜寻允许你主动搜寻威胁：

• 由 Microsoft Defender for Endpoint 管理的设备
• Microsoft 365 处理的电子邮件
• Microsoft Defender for Cloud Apps和Microsoft Defender for Identity跟踪的云应用活动、身份验证事件和域控制器活动

借助此级别的可见性，可以快速搜寻遍历网络部分的威胁，包括电子邮件或 Web 上到达的复杂入侵、提升本地特权、获取特权域凭据，以及跨设备横向移动到的威胁。

下面是基于各种搜寻方案的常规技术和示例查询，可帮助你探索在搜寻此类复杂威胁时如何构造查询。

获取实体信息

使用这些查询来了解如何快速获取有关用户帐户、设备和文件的信息。

从电子邮件地址获取用户帐户

在跨 涵盖设备和电子邮件的表构造查询时，可能需要从发件人或收件人电子邮件地址获取用户帐户名称。 通常，可以使用电子邮件地址中的 本地主机 对收件人或发件人地址执行此操作。

在下面的代码片段中，我们使用 tostring () Kusto 函数在 列 RecipientEmailAddress中从收件人电子邮件地址之前@提取本地主机。

//Query snippet showing how to extract the account name from an email address
AccountName = tostring(split(RecipientEmailAddress, "@")[0])

以下查询显示了如何使用此代码片段：

EmailEvents
| where Timestamp > ago(7d)
| project RecipientEmailAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);

合并 IdentityInfo 表

可以通过合并或联接 IdentityInfo 表来获取帐户名称和其他帐户信息。 下面的查询从 EmailEvents 表中 获取网络钓鱼和恶意软件检测列表，然后将该信息与 IdentityInfo 该表联接，以获取有关每个收件人的详细信息。

EmailEvents
| where Timestamp > ago(7d)
//Get email processing events where the messages were identified as either phishing or malware
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
//Merge email events with identity info to get recipient details
| join (IdentityInfo | distinct AccountUpn, AccountDisplayName, JobTitle,
Department, City, Country) on $left.RecipientEmailAddress == $right.AccountUpn
//Show important message and recipient details
| project Timestamp, NetworkMessageId, Subject, ThreatTypes,
SenderFromAddress, RecipientEmailAddress, AccountDisplayName, JobTitle,
Department, City, Country

观看此简短视频，了解如何使用Kusto 查询语言联接表。

获取设备信息

高级搜寻架构在各种表中提供广泛的设备信息。 例如， DeviceInfo 表 根据定期聚合的事件数据提供全面的设备信息。 此查询使用 DeviceInfo 表来检查 () 的潜在入侵用户<account-name>是否已登录到任何设备，然后列出在这些设备上触发的警报。

提示

此查询使用 kind=inner 指定 内部联接，从而防止删除 的 DeviceId左侧值。

DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category

获取文件事件信息

使用以下查询获取有关文件相关事件的信息。

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

获取网络事件信息

使用以下查询获取有关网络相关事件的信息。

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

获取设备代理版本信息

使用以下查询获取在设备上运行的代理版本。

DeviceInfo
| where Timestamp > ago(1d)
| where ClientVersion startswith "20.1"
| summarize by DeviceId
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

macOS 设备的示例查询

使用以下示例查询查看运行 macOS 且版本早于 Catalina 的所有设备。

DeviceInfo
| where Timestamp > ago(1d)
| where OSPlatform == "macOS" and  OSVersion !contains "10.15" and OSVersion !contains "11."
| summarize by DeviceId
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

获取设备状态信息

使用以下查询获取设备的状态。 在以下示例中，查询将检查设备是否已载入。

DeviceInfo
| where Timestamp > ago(1d)
| where OnboardingStatus != "Onboarded"
| summarize by DeviceId
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(1d)
) on DeviceId
| take 10

搜寻方案

列出收到未成功点击的电子邮件的用户的登录活动

零小时自动清除 (ZAP) 收到恶意电子邮件后进行处理。 如果 ZAP 失败，恶意代码最终可能会在设备上运行，并导致帐户遭到入侵。 此查询检查 ZAP 未成功解决的电子邮件收件人进行的登录活动。

EmailPostDeliveryEvents
| where Timestamp > ago(7d)
//List malicious emails that were not zapped successfully
| where ActionType has "ZAP" and ActionResult == "Error"
| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType

获取凭据被盗所针对的域帐户的登录尝试

此查询首先标识表中的所有 AlertInfo 凭据访问警报。 然后，它将合并或联接 AlertEvidence 表，该表分析的目标帐户的名称，并仅筛选已加入域的帐户。 最后，它会检查表以获取 IdentityLogonEvents 已加入域的目标帐户的所有登录活动。

AlertInfo
| where Timestamp > ago(30d)
//Get all credential access alerts
| where Category == "CredentialAccess"
//Get more info from AlertEvidence table to get the SID of the target accounts
| join AlertEvidence on AlertId
| extend IsJoined=(parse_json(AdditionalFields).Account.IsDomainJoined)
| extend TargetAccountSid=tostring(parse_json(AdditionalFields).Account.Sid)
//Filter for domain-joined accounts only
| where IsJoined has "true"
//Merge with IdentityLogonEvents to get all logon attempts by the potentially compromised target accounts
| join kind=inner IdentityLogonEvents on $left.TargetAccountSid == $right.AccountSid
//Show only pertinent info, such as account name, the app or service, protocol, the accessed device, and type of logon
| project AccountDisplayName, TargetAccountSid, Application, Protocol, DeviceName, LogonType

检查来自已知恶意发件人的文件是否位于你的设备上

假设你知道发送恶意文件的电子邮件地址 () MaliciousSender@example.com ，则可以运行此查询来确定设备上是否存在来自此发件人的文件。 例如，可以使用此查询来识别受恶意软件分发活动影响的设备。

EmailAttachmentInfo
| where SenderFromAddress =~ "MaliciousSender@example.com"
//Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId,  NetworkMessageId, SenderFromAddress, RecipientEmailAddress

查看收到恶意电子邮件后的登录尝试

此查询查找电子邮件收件人在收到已知恶意电子邮件后的 30 分钟内执行的 10 次最新登录。 可以使用此查询来检查电子邮件收件人的帐户是否已泄露。

//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10

在收到来自已知恶意发件人的电子邮件后查看 PowerShell 活动

恶意电子邮件通常包含运行 PowerShell 命令以提供其他有效负载的文档和其他特制附件。 如果你知道来自已知恶意发件人的电子邮件 (MaliciousSender@example.com) ，则可以使用此查询列出和查看在收到发件人的电子邮件后 30 分钟内发生的 PowerShell 活动。

//Define new table for emails from specific sender
let EmailsFromBadSender=EmailEvents
| where SenderFromAddress =~ "MaliciousSender@example.com"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
//Merge emails from sender with process-related events on devices
EmailsFromBadSender
| join (
DeviceProcessEvents
//Look for PowerShell activity
| where FileName =~ "powershell.exe"
//Add line below to check only events initiated by Outlook
//| where InitiatingProcessParentFileName =~ "outlook.exe"
| project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine
) on AccountName
//Check only PowerShell activities within 30 minutes of receipt of an email
| where (TimeProc - TimeEmail) between (0min.. 30min)

相关主题

• 高级搜寻概述
• 了解查询语言
• 处理查询结果
• 使用共享查询
• 了解架构
• 应用查询最佳做法

提示

想要了解更多信息？ Engage技术社区中的 Microsoft 安全社区：Microsoft Defender XDR技术社区。