Use community queries for Defender for Office 365 by info.odysseyx@gmail.com October 9, 2024 written by info.odysseyx@gmail.com October 9, 2024 0 comment 1 views 1 Staying ahead of threats in an ever-evolving cybersecurity landscape is a constant challenge. Advanced hunting in Microsoft Defender XDR gives security teams powerful tools to proactively search for threats, detect anomalies, and automatically and quickly respond to incidents. One of the most valuable and insightful resources in advanced hunting is community queries characteristic. This collaborative repository can enhance threat hunting capabilities, streamline investigation processes, and empower security operations center (SOC) team members with easily accessible shared knowledge. Use new pre-built sets community queries To investigate and respond to email and collaboration-related security threats, you can now hunt threats more effectively. What is the Community Query feature? Community Queries in Advanced Hunting is a curated collection of Kusto Query Language (KQL) scripts contributed by Microsoft, industry experts, and the global security community. These queries are designed to solve common security problems, detect new threats, and automate the analysis of large data sets. The repository serves as a starting point for both beginners and seasoned threat hunters, providing pre-built queries that can be customized to fit specific organizational needs. By leveraging these community-contributed queries, SOC team members can quickly gain insight into potential threats without having to start from scratch. Benefits of using community queries time efficiency – Community Queries provide a wealth of ready-made queries that you can leverage right away. This saves valuable time so your security team can focus on analyzing the results rather than building queries from scratch. continuous learning – The repository is continuously updated with new queries that reflect the latest threat intelligence and security trends. This means that threat hunting efforts can evolve with the threat environment. Collaboration and knowledge sharing – By using and contributing to community queries, organizations can leverage the comprehensive expertise of the global security community. This collaborative approach helps identify and mitigate threats that are not yet under the radar. Customization and Flexibility – Queries in the community are powerful out of the box, but can also be customized. You can adjust and modify it to fit the specific needs of your environment, ensuring your threat detection efforts are tailored and accurate. How to access and use community queries The user community queries Within Microsoft Defender XDR advanced hunting Via: Go to Advanced Hunting page – Go to the Advanced Hunting section in Microsoft Defender XDR. Here you can run, save, and manage KQL queries. Explore community queries – Find ‘Community Query’ in the ‘Query’ tab. Here you will find a collection of pre-built queries provided by Microsoft and the security community. Email and collaboration security-related queries related to Defender for Office 365 can be found in the “Email Queries” folder and its subfolders. Select and run queries – Browse available queries and select the one that meets your current needs. You can run the query as is or customize it by modifying parameters, adding filters, or combining it with other queries. Analyze the results and act accordingly. – Once the query is run, the results are analyzed to identify potential threats, anomalies, or areas of concern. From here, you can take appropriate action, including creating incidents and alerts, creating and refining custom detection rules, and deleting email messages if necessary. Expert Tips: Custom detection rules You can use it to automatically take action on email messages based on your queries. choose Email Delete Action When you create an incident in Microsoft Defender XDR, as well as save detection rules to automatically operate when a detection is triggered. Popular use cases for community queries about Defender for Office 365 Phishing attack detection – Use community queries to identify patterns of phishing emails, malicious links, or unusual email activity that may indicate phishing campaigns. Identify lateral movements – Helps uncover lateral movement within the network by leveraging queries to detect unusual account activity or unauthorized access. Malware outbreak investigation – Leverage community queries to search for indicators of compromise (IOCs) associated with known malware families to quickly respond to potential outbreaks. Privileged Account Monitoring – Community queries help you track the activity of privileged accounts, so you can immediately flag and investigate suspicious behavior. QR code – Hunt, investigate, and respond to QR code-related email security threats. Click URL – Investigate potentially malicious URL clicks in email, Microsoft Teams, and Office apps. Ensure a safe posture – Review the impact of administrator- and user-created filter verdict overrides, which may negatively impact your organization’s security posture. Current query repository for Defender for Office 365 A complete list of queries is available directly from Microsoft Defender XDR Advanced Hunting. Queries related to Defender for Office 365 are structured as follows: email query A folder that uses subfolders based on email and collaboration security topics. Attachments, Authentication, Generic, Hunting, Malware, Override, Phishing, QR Code, Quarantine, Disinfection, Spoofing and Impersonation, Submission, Top Attacks, URLs, URL Clicks and ZAP. Queries can also be viewed directly on the following page. Microsoft Sentinel GitHub repository Participate in community queries Anyone can contribute community queries In advanced hunting. The strength of these queries lies in the diversity of their contributors. If you develop a query that proves valuable in your environment for email security, please consider sharing it with the broader community. By doing so, you contribute to our collective defense against cyber threats and help strengthen the security posture of other organizations. To start contributing, follow the steps listed. here Add queries to the integrated Microsoft Sentinel and Microsoft Defender XDR repositories on GitHub. Community Queries is more than just a script repository. This is a dynamic, collaborative resource that helps security teams stay ahead of new threats. By leveraging and contributing to this community, organizations can strengthen their threat hunting capabilities, improve detection times, and foster a culture of continuous learning and collaboration. In the ever-changing world of cybersecurity, access to a community-driven, advanced query repository is an invaluable asset. It doesn’t matter if you’re a seasoned threat hunter or just starting out. community queries This is a resource that cannot be overlooked. So learn more, explore, and use it to its full potential. advanced hunting today. Additional information: Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post MVPs and RDs innovate and contribute to Microsoft Global Hackathon 2024 next post Coming soon: MS-4002: Prepare security and compliance to support Microsoft 365 Copilot You may also like How to strengthen AI security with MLSecOps December 6, 2024 The Sonos Arc Ultra raises the bar for home theater audio December 5, 2024 Aptera Motors will showcase its solar EV at CES 2025 December 3, 2024 How Chromebook tools strengthen school cybersecurity December 2, 2024 Nvidia unveils the ‘Swiss Army Knife’ of AI audio tools: Fugato November 26, 2024 Nvidia Blackwell and the future of data center cooling November 25, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.