Defender XDR Advanced Hunting All In One UPN Search

// DefenderXDR Advanced Hunting All-In-One UPN Search // https://www.linkedin.com/pulse/defenderxdr-advanced-hunting-all-in-one-upn-search-steven-lim-zdlic/ // This KQL query searches across these DefenderXDR log tables for the UPN variable that is defined at the start: // AlertEvidence, BehaviorEntities, BehaviorInfo, AADSignInEventsBeta, IdentityInfo, IdentityLogonEvents, UrlClickEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, DeviceRegistryEvents, CloudAppEvents, EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, CloudAuditEvents, ExposureGraphNodes let upn = "[email protected]"; // Enter Your Search UPN search in (AlertEvidence, BehaviorEntities, BehaviorInfo, AADSignInEventsBeta, IdentityInfo, IdentityLogonEvents, UrlClickEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, DeviceRegistryEvents, CloudAppEvents, EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, CloudAuditEvents, ExposureGraphNodes) Timestamp between (ago(1d) .. now()) and ( // AlertEvidence BehaviorEntities BehaviorInfo DeviceProcessEvents // AADSignInEventsBeta IdentityInfo IdentityLogonEvents UrlClickEvents AccountUpn == upn // DeviceEvents DeviceFileEvents DeviceImageLoadEvents DeviceLogonEvents // DeviceNetworkEvents DeviceProcessEvents DeviceRegistryEvents or InitiatingProcessAccountUpn == upn // CloudAppEvents or tostring(RawEventData.UserId) == upn // EmailAttachmentInfo EmailEvents EmailPostDeliveryEvents or SenderFromAddress == upn or RecipientEmailAddress == upn // CloudAuditEvents or RawEventData contains upn //ExposureGraphNodes or NodeProperties.rawData contains upn )

Explanation

This KQL query is designed to search for a specific User Principal Name (UPN), in this case, "[email protected]", across multiple DefenderXDR log tables. The query looks for any records related to this UPN within the last 24 hours. Here's a simplified breakdown:

Define the UPN: The UPN to search for is set as "[email protected]".
Search Across Multiple Tables: The query searches through various log tables such as AlertEvidence, BehaviorEntities, AADSignInEventsBeta, IdentityLogonEvents, DeviceEvents, EmailEvents, and others.
Time Range: The search is limited to events that occurred in the last 24 hours.
Conditions: The query checks multiple fields in these tables to find matches for the UPN:
- AccountUpn
- InitiatingProcessAccountUpn
- RawEventData.UserId
- SenderFromAddress
- RecipientEmailAddress
- RawEventData
- NodeProperties.rawData

In summary, this query is a comprehensive search across various security and activity logs to find any events or actions associated with the specified UPN within the past day.

Details

Steven Lim

Released: August 2, 2024

Tables

AlertEvidenceBehaviorEntitiesBehaviorInfoAADSignInEventsBetaIdentityInfoIdentityLogonEventsUrlClickEventsDeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEventsCloudAppEventsEmailAttachmentInfoEmailEventsEmailPostDeliveryEventsCloudAuditEventsExposureGraphNodes

Keywords

Operators

letsearchinbetweenagonowand==ortostringcontains

KQL Search