Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 03: Expand the scope through Advanced Hunting and watchlists

Security Architecture Team

  1. Frame the blast radius questions to put into the runbook:

    • Who else clicked the phishing URL?
    • Which devices reached the same domain?
    • Who executed the same file hash across multiple endpoints?

  2. Decide the required data sources:

    • Email telemetry (MDO): EmailEvents, EmailUrlInfo
    • Endpoint telemetry (MDE): DeviceFileEvents, DeviceNetworkEvents, DeviceLogonEvents
    • Entra ID audit and sign-ins: IdentityDirectoryEvents, IdentityLogonEvents

Security Engineering and Administration

  1. In the leftmost pane, go to Investigation & response > Hunting > Advanced hunting.

  2. Run the following KQL query:

     let lookback = 7d;
 // Table of HVAs
 let HVA_Servers = datatable(HostName:string)
 [
 "FSRV01",
 "SCADA-GW",
 "FIN-LEDGER",
 "winvm-mde" //replace with your VM name
 ];
 // Normalize to a single-column subquery for 'in'
 let HVA = HVA_Servers | project HostLower = tolower(HostName);
 DeviceLogonEvents
 | where Timestamp >= ago(lookback)
 | extend HostLower = tolower(DeviceName)
 | where HostLower in (HVA)                               // <-- key fix
 | where LogonType in ("RemoteInteractive","Network","RemoteInteractive (RDP)")
 | summarize
     Attempts  = count(),
     Successes = countif(ActionType =~ "LogonSuccess"),
     Failures  = countif(ActionType !~ "LogonSuccess"),
     SampleLogonTypes = make_set(LogonType, 5)
     by DeviceName, AccountName
 | order by Attempts desc

    This uses mock data, but is designed to hunt for logon activity targeting “High-Value Assets” (HVAs) - like critical servers - over the past 7 days.

SOC Analyst

  1. In the leftmost pane, go to Investigation & response > Hunting > Advanced hunting.

  2. Run the following KQL query to get the list of clickers of the phish URL (Email + Device):

     let iocUrl = "http://bit.ly/benign123";
 EmailUrlInfo
 | where Url == iocUrl
 | join kind=leftouter EmailEvents on NetworkMessageId
 | project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject
 | summarize Clickers=dcount(RecipientEmailAddress) by bin(Timestamp, 1h)

  3. Run the following KQL query to get the list of files/hash spread across endpoints:

     let badSha1 = "6265d085ee5fc65bc123f503970e7eeadde3e032";
 union isfuzzy=true DeviceFileEvents, DeviceProcessEvents
 | where SHA1 == badSha1 or InitiatingProcessSHA1 == badSha1
 | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, SHA1, AccountName
 | summarize dcount(DeviceName), Devices=make_set(DeviceName) by SHA1

  4. Run the following KQL query to get the OAuth blast radius:

     let appId = "20893";
 CloudAppEvents
 | where ApplicationId == appId
 | summarize AffectedUsers=make_set(AccountDisplayName), Count=count() by Application, ApplicationId

    Review the results and export the CSVs for evidence.