KQL Search

Query Details

HomeAI ToolsDevice Query

Exposure Management Defender For Office 365

Query

//Exposure Management + Defender for Office 365
//https://www.linkedin.com/posts/activity-7178261918795649024-cah8/

//Custom DefenderXDR detection rule for critical identities marked by exposure management clicking on malicious email link. This would triggered the isolation of the user account and devices impacted to minimize lateral movement.

//KQL Detection Code:

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn)
| distinct AccountUPN;
AlertInfo
| where Title == "A potentially malicious URL click was detected"
| join AlertEvidence on AlertId
| join EmailEvents on NetworkMessageId
| where RecipientEmailAddress has_any (CriticalIdentities)

Explanation

This KQL query is designed to detect when critical identities, as marked by an exposure management system, click on a malicious email link. Here's a simplified breakdown:

  1. Identify Critical Identities:

    • The query first identifies critical identities from the ExposureGraphNodes table.
    • It filters for nodes categorized as "identity" and checks if they have a criticality level less than 4. - It extracts the user principal names (UPNs) of these critical identities.

  2. Detect Malicious URL Clicks:

    • The query then looks for alerts in the AlertInfo table where the title indicates a potentially malicious URL click.
    • It joins this alert information with evidence from the AlertEvidence table and email events from the EmailEvents table.
    • Finally, it filters the results to include only those email events where the recipient's email address matches any of the critical identities identified earlier.

In essence, this query helps in isolating user accounts and devices of critical identities that have clicked on malicious email links to minimize the risk of lateral movement within the network.

Details

Steven Lim profile picture

Steven Lim

Released: August 5, 2024

Tables

ExposureGraphNodesAlertInfoAlertEvidenceEmailEvents

Keywords

ExposureManagement DefenderForOffice365 Devices User Email Alert

Operators

let|whereset_has_elementisnotnulland<extendtostringdistinct==joinonhas_any

Actions