Data Queries Reference

Queries for Microsoft Sentinel

Data Environment identifier: MSSentinel

QueryGroup

Query

Description

Req-Params

Table

Azure

get_vmcomputer_for_host

Returns most recent VMComputer record for Host

end (datetime), host_name (str), start (datetime)

VMComputer

Azure

get_vmcomputer_for_ip

Returns most recent VMComputer record for IPAddress

end (datetime), ip_address (str), start (datetime)

VMComputer

Azure

list_aad_signins_for_account

Returns Azure AD Signins for Account

end (datetime), start (datetime)

SigninLogs

Azure

list_aad_signins_for_ip

Returns Azure AD Signins for an IP Address

end (datetime), ip_address_list (list), start (datetime)

SigninLogs

Azure

list_all_signins_geo

Gets Signin data used by morph charts

end (datetime), start (datetime)

SigninLogs

Azure

list_azure_activity_for_account

Returns Azure Activity for Account

account_name (str), end (datetime), start (datetime)

AzureActivity

Azure

list_azure_activity_for_ip

Returns Azure Activity for Caller IP Address(es)

end (datetime), ip_address_list (list), start (datetime)

AzureActivity

Azure

list_azure_activity_for_resource

Returns Azure Activity for an Azure Resource ID

end (datetime), resource_id (str), start (datetime)

AzureActivity

Azure

list_storage_ops_for_hash

Returns Azure Storage Operations for an MD5 file hash

end (datetime), file_hash (str), start (datetime)

StorageFileLogs

Azure

list_storage_ops_for_ip

Returns Storage Operations for an IP Address

end (datetime), ip_address (str), start (datetime)

StorageFileLogs

AzureNetwork

all_network_connections_csl

Returns all network connections for a time range (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

AzureNetwork

az_net_analytics

Returns all Azure Network Flow (NSG) Data for a given host

end (datetime), start (datetime)

AzureNetworkAnalytics_CL

AzureNetwork

dns_lookups_for_domain

Returns DNS query events for a specified domain

domain (str), end (datetime), start (datetime)

DnsEvents

AzureNetwork

dns_lookups_for_ip

Returns Dns query events that contain a resolved IP address

end (datetime), ip_address (str), start (datetime)

DnsEvents

AzureNetwork

dns_lookups_from_ip

Returns Dns queries originating from a specified IP address

end (datetime), ip_address (str), start (datetime)

DnsEvents

AzureNetwork

get_heartbeat_for_host

Returns latest OMS Heartbeat event for host.

end (datetime), host_name (str), start (datetime)

Heartbeat

AzureNetwork

get_heartbeat_for_ip

Returns latest OMS Heartbeat event for ip address.

end (datetime), ip_address (str), start (datetime)

Heartbeat

AzureNetwork

get_host_for_ip

Returns the most recent Azure NSG Interface event for an IP Address.

end (datetime), ip_address (str), start (datetime)

AzureNetworkAnalytics_CL

AzureNetwork

get_ips_for_host

Returns the most recent Azure Network NSG Interface event for a host.

end (datetime), host_name (str), start (datetime)

AzureNetworkAnalytics_CL

AzureNetwork

host_network_connections_csl

Returns network connections to and from a host (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

AzureNetwork

hosts_by_ip_csl

Returns hosts associated with a IP addresses (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

AzureNetwork

ip_network_connections_csl

Returns network connections to and from an IP address (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

AzureNetwork

ips_by_host_csl

Returns all IP addresses associated with a host (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

AzureNetwork

list_azure_network_flows_by_host

Returns Azure NSG flow events for a host.

end (datetime), host_name (str), start (datetime)

AzureNetworkAnalytics_CL

AzureNetwork

list_azure_network_flows_by_ip

Returns Azure NSG flow events for an IP Address.

end (datetime), ip_address_list (list), start (datetime)

AzureNetworkAnalytics_CL

AzureNetwork

network_connections_to_url

Returns connections to a URL or domain (CommonSecurityLog)

end (datetime), start (datetime), url (str)

CommonSecurityLog

AzureSentinel

get_bookmark_by_id

Returns a single Bookmark by BookmarkId

bookmark_id (str), end (datetime), start (datetime)

HuntingBookmark

AzureSentinel

get_bookmark_by_name

Retrieves one or more Bookmarks by Bookmark Name

bookmark_name (str), end (datetime), start (datetime)

HuntingBookmark

AzureSentinel

get_dynamic_summary_by_id

Returns a Dynamic Summary by SummaryId

end (datetime), start (datetime), summary_id (str)

DynamicSummary

AzureSentinel

get_dynamic_summary_by_name

Returns a Dynamic Summary by Name

end (datetime), start (datetime), summary_name (str)

DynamicSummary

AzureSentinel

list_bookmarks

Retrieves list of bookmarks for a time range

end (datetime), start (datetime)

HuntingBookmark

AzureSentinel

list_bookmarks_for_entity

Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier

end (datetime), start (datetime)

HuntingBookmark

AzureSentinel

list_bookmarks_for_tags

Returns Bookmark by one or more Tags

bookmark_tags (list), end (datetime), start (datetime)

HuntingBookmark

AzureSentinel

list_dynamic_summaries

Returns all Dynamic Summaries by time range

end (datetime), start (datetime)

DynamicSummary

Heartbeat

get_heartbeat_for_host

Returns latest OMS Heartbeat event for host.

end (datetime), host_name (str), start (datetime)

Heartbeat

Heartbeat

get_heartbeat_for_ip

Returns latest OMS Heartbeat event for ip address.

end (datetime), ip_address (str), start (datetime)

Heartbeat

Heartbeat

get_info_by_hostname

Deprecated - use ‘get_heartbeat_for_host’

end (datetime), host_name (str), start (datetime)

Heartbeat

Heartbeat

get_info_by_ipaddress

Deprecated - use ‘get_heartbeat_for_ip’

end (datetime), ip_address (str), start (datetime)

Heartbeat

IdentityOnPrem

logons_for_account

Return all Active Directory on-premises user logons for user name

account_name (str), end (datetime), start (datetime)

IdentityLogonEvents

IdentityOnPrem

logons_for_host

Return all Active Directory on-premises user logons for host/device name

end (datetime), host_name (str), start (datetime)

IdentityLogonEvents

IdentityOnPrem

logons_for_ip

Return all Active Directory on-premises user logons for ip address

end (datetime), ip_address (str), start (datetime)

IdentityLogonEvents

LinuxAudit

auditd_all

Extract all audit messages grouped by mssg_id

end (datetime), start (datetime)

AuditLog_CL

LinuxSyslog

all_syslog

Returns all syslog activity for a host

end (datetime), start (datetime)

Syslog

LinuxSyslog

cron_activity

Returns all cron activity for a host

end (datetime), start (datetime)

Syslog

LinuxSyslog

list_account_logon_failures

All failed user logon events for account name

account_name (str), end (datetime), start (datetime)

Syslog

LinuxSyslog

list_host_logon_failures

Failed user logon events on a host

end (datetime), host_name (str), start (datetime)

Syslog

LinuxSyslog

list_ip_logon_failures

Failed user logon events from an IP address

end (datetime), ip_address (str), start (datetime)

Syslog

LinuxSyslog

list_logon_failures

All failed user logon events on any host

end (datetime), start (datetime)

Syslog

LinuxSyslog

list_logons_for_account

Successful user logon events for account name (all hosts)

account_name (str), end (datetime), start (datetime)

Syslog

LinuxSyslog

list_logons_for_host

All logon events on a host

end (datetime), host_name (str), start (datetime)

Syslog

LinuxSyslog

list_logons_for_source_ip

Successful user logon events for source IP (all hosts)

end (datetime), ip_address (str), start (datetime)

Syslog

LinuxSyslog

notable_events

Returns all ‘alert’ and ‘crit’ syslog activity for a host

end (datetime), start (datetime)

Syslog

LinuxSyslog

squid_activity

Returns all squid proxy activity for a host

end (datetime), host_name (str), start (datetime)

Syslog

LinuxSyslog

sudo_activity

Returns all sudo activity for a host and account name

end (datetime), start (datetime)

Syslog

LinuxSyslog

summarize_events

Returns summarized syslog activity for a host

end (datetime), start (datetime)

Syslog

LinuxSyslog

sysmon_process_events

Sysmon Process Events on host

end (datetime), host_name (str), start (datetime)

LinuxSyslog

user_group_activity

Returns all user/group additions, deletions, and modifications for a host

end (datetime), start (datetime)

Syslog

LinuxSyslog

user_logon

User logon events on a host

end (datetime), host_name (str), start (datetime)

Syslog

M365D

application_alerts

Lists alerts associated with a cloud app or OAuth app

app_name (str), end (datetime), start (datetime)

AlertInfo

M365D

host_alerts

Lists alerts associated with host/device name

end (datetime), host_name (str), start (datetime)

AlertInfo

M365D

host_connections

Returns connections by a specified hostname

end (datetime), host_name (str), start (datetime)

DeviceNetworkEvents

M365D

ip_alerts

Lists alerts associated with a specified remote IP

end (datetime), ip_address (str), start (datetime)

AlertInfo

M365D

ip_connections

Returns network connections associated with a specified remote IP

end (datetime), ip_address (str), start (datetime)

DeviceNetworkEvents

M365D

list_alerts

Retrieves list of alerts

end (datetime), start (datetime)

AlertInfo

M365D

list_alerts_with_evidence

Retrieves list of alerts with their evidence

end (datetime), start (datetime)

AlertInfo

M365D

list_connections

Retrieves list of all network connections

end (datetime), start (datetime)

DeviceNetworkEvents

M365D

list_file_events_for_filename

Lists all file events by filename

end (datetime), file_name (str), start (datetime)

DeviceFileEvents

M365D

list_file_events_for_hash

Lists all file events by hash

end (datetime), file_hash (str), start (datetime)

DeviceFileEvents

M365D

list_file_events_for_host

Lists all file events for a host/device

end (datetime), start (datetime)

DeviceFileEvents

M365D

list_file_events_for_path

Lists all file events from files in a certain path

end (datetime), path (str), start (datetime)

DeviceFileEvents

M365D

list_host_processes

Return all process creations for a host for the specified time range

end (datetime), host_name (str), start (datetime)

DeviceProcessEvents

M365D

mail_message_alerts

Lists alerts associated with a specified mail message

end (datetime), message_id (str), start (datetime)

AlertInfo

M365D

mailbox_alerts

Lists alerts associated with a specified mailbox

end (datetime), mailbox (str), start (datetime)

AlertInfo

M365D

process_alerts

Lists alerts associated with a specified process

end (datetime), file_name (str), start (datetime)

AlertInfo

M365D

process_cmd_line

Lists all processes with a command line containing a string (all hosts)

cmd_line (str), end (datetime), start (datetime)

DeviceProcessEvents

M365D

process_creations

Return all processes with matching name or hash (all hosts)

end (datetime), process_identifier (str), start (datetime)

DeviceProcessEvents

M365D

process_paths

Return all processes with a matching path (part path) (all hosts)

end (datetime), file_path (str), start (datetime)

DeviceProcessEvents

M365D

protocol_connections

Returns connections associated with a specified protocol (port number)

end (datetime), protocol (str), start (datetime)

DeviceNetworkEvents

M365D

registry_key_alerts

Lists alerts associated with a specified registry key

end (datetime), key_name (str), start (datetime)

AlertInfo

M365D

sha1_alerts

Lists alerts associated with a specified SHA1 hash

end (datetime), file_hash (str), start (datetime)

AlertInfo

M365D

sha256_alerts

Lists alerts associated with a specified SHA256 hash

end (datetime), file_hash (str), start (datetime)

AlertInfo

M365D

url_alerts

Lists alerts associated with a specified URL

end (datetime), start (datetime), url (str)

AlertInfo

M365D

url_connections

Returns connections associated with a specified URL

end (datetime), start (datetime), url (str)

DeviceNetworkEvents

M365D

user_alerts

Lists alerts associated with a specified user

account_name (str), end (datetime), start (datetime)

AlertInfo

M365D

user_files

Return all files created by a user

account_name (str), end (datetime), start (datetime)

M365D

user_logons

Return all user logons for user name

account_name (str), end (datetime), start (datetime)

M365D

user_network

Return all network connections associated with a user

account_name (str), end (datetime), start (datetime)

M365D

user_processes

Return all processes created by a user

account_name (str), end (datetime), start (datetime)

M365DHunting

accessibility_persistence

This query looks for persistence or privilege escalation done using Windows Accessibility features.

M365DHunting

av_sites

Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites

M365DHunting

b64_pe

Finding base64 encoded PE files header seen in the command line parameters

M365DHunting

brute_force

Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.

M365DHunting

cve_2018_1000006l

Looks for CVE-2018-1000006 exploitation

M365DHunting

cve_2018_1111

Looks for CVE-2018-1111 exploitation

M365DHunting

cve_2018_4878

This query checks for specific processes and domain TLD used in the CVE-2018-4878

M365DHunting

doc_with_link

Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download.

M365DHunting

dropbox_link

Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site.

M365DHunting

email_link

Look for links opened from mail apps – if a detection occurred right afterwards

M365DHunting

email_smartscreen

Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning

M365DHunting

malware_recycle

Finding attackers hiding malware in the recycle bin.

M365DHunting

network_scans

Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process

M365DHunting

powershell_downloads

Finds PowerShell execution events that could involve a download.

M365DHunting

service_account_powershell

Service Accounts Performing Remote PowerShell

M365DHunting

smartscreen_ignored

Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless.

M365DHunting

smb_discovery

Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares.

M365DHunting

tor

Looks for Tor client, or for a common Tor plugin called Meek.

M365DHunting

uncommon_powershell

Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.

host_name (str), timestamp (str)

M365DHunting

user_enumeration

The query finds attempts to list users or groups using Net commands

MDEHunting

accessibility_persistence

This query looks for persistence or privilege escalation done using Windows Accessibility features.

MDEHunting

av_sites

Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites

MDEHunting

b64_pe

Finding base64 encoded PE files header seen in the command line parameters

MDEHunting

brute_force

Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.

MDEHunting

cve_2018_1000006l

Looks for CVE-2018-1000006 exploitation

MDEHunting

cve_2018_1111

Looks for CVE-2018-1111 exploitation

MDEHunting

cve_2018_4878

This query checks for specific processes and domain TLD used in the CVE-2018-4878

MDEHunting

doc_with_link

Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download.

MDEHunting

dropbox_link

Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site.

MDEHunting

email_link

Look for links opened from mail apps – if a detection occurred right afterwards

MDEHunting

email_smartscreen

Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning

MDEHunting

malware_recycle

Finding attackers hiding malware in the recycle bin.

MDEHunting

network_scans

Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process

MDEHunting

powershell_downloads

Finds PowerShell execution events that could involve a download.

MDEHunting

service_account_powershell

Service Accounts Performing Remote PowerShell

MDEHunting

smartscreen_ignored

Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless.

MDEHunting

smb_discovery

Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares.

MDEHunting

tor

Looks for Tor client, or for a common Tor plugin called Meek.

MDEHunting

uncommon_powershell

Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.

host_name (str), timestamp (str)

MDEHunting

user_enumeration

The query finds attempts to list users or groups using Net commands

MSSentinel

get_bookmark_by_id

Returns a single Bookmark by BookmarkId

bookmark_id (str), end (datetime), start (datetime)

HuntingBookmark

MSSentinel

get_bookmark_by_name

Retrieves one or more Bookmarks by Bookmark Name

bookmark_name (str), end (datetime), start (datetime)

HuntingBookmark

MSSentinel

get_dynamic_summary_by_id

Returns a Dynamic Summary by SummaryId

end (datetime), start (datetime), summary_id (str)

DynamicSummary

MSSentinel

get_dynamic_summary_by_name

Returns a Dynamic Summary by Name

end (datetime), start (datetime), summary_name (str)

DynamicSummary

MSSentinel

list_bookmarks

Retrieves list of bookmarks for a time range

end (datetime), start (datetime)

HuntingBookmark

MSSentinel

list_bookmarks_for_entity

Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier

end (datetime), start (datetime)

HuntingBookmark

MSSentinel

list_bookmarks_for_tags

Returns Bookmark by one or more Tags

bookmark_tags (list), end (datetime), start (datetime)

HuntingBookmark

MSSentinel

list_dynamic_summaries

Returns all Dynamic Summaries by time range

end (datetime), start (datetime)

DynamicSummary

MultiDataSource

get_timeseries_anomalies

Time Series filtered anomalies using native KQL analysis (series_decompose_anomalies)

end (datetime), start (datetime), table (str)

na

MultiDataSource

get_timeseries_data

Generic query to return TimeSeriesData for use with native KQL time series functions

end (datetime), start (datetime), table (str)

na

MultiDataSource

get_timeseries_decompose

Generic Time Series decomposition using native KQL analysis (series_decompose)

end (datetime), start (datetime), table (str)

na

MultiDataSource

plot_timeseries_datawithbaseline

Plot of Time Series data using native KQL analysis and plot rendering (KQLMagic only)

end (datetime), start (datetime), table (str)

na

MultiDataSource

plot_timeseries_scoreanomolies

Plot Time Series anomaly score using native KQL render (KQLMagic only)

end (datetime), start (datetime), table (str)

na

Network

all_network_connections_csl

Returns all network connections for a time range (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

Network

get_heartbeat_for_host

Returns latest OMS Heartbeat event for host.

end (datetime), host_name (str), start (datetime)

Heartbeat

Network

get_heartbeat_for_ip

Returns latest OMS Heartbeat event for ip address.

end (datetime), ip_address (str), start (datetime)

Heartbeat

Network

get_host_for_ip

Returns the most recent Azure NSG Interface event for an IP Address.

end (datetime), ip_address (str), start (datetime)

AzureNetworkAnalytics_CL

Network

get_ips_for_host

Returns the most recent Azure Network NSG Interface event for a host.

end (datetime), host_name (str), start (datetime)

AzureNetworkAnalytics_CL

Network

host_network_connections_csl

Returns network connections to and from a host (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

Network

hosts_by_ip_csl

Returns hosts associated with a IP addresses (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

Network

ip_network_connections_csl

Returns network connections to and from an IP address (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

Network

ips_by_host_csl

Returns all IP addresses associated with a host (CommonSecurityLog)

end (datetime), start (datetime)

CommonSecurityLog

Network

list_azure_network_flows_by_host

Returns Azure NSG flow events for a host.

end (datetime), host_name (str), start (datetime)

AzureNetworkAnalytics_CL

Network

list_azure_network_flows_by_ip

Returns Azure NSG flow events for an IP Address.

end (datetime), ip_address_list (list), start (datetime)

AzureNetworkAnalytics_CL

Network

network_connections_to_url

Returns connections to a URL or domain (CommonSecurityLog)

end (datetime), start (datetime), url (str)

CommonSecurityLog

Office365

list_activity_for_account

Lists Office/O365 Activity for Account

account_name (str), end (datetime), start (datetime)

OfficeActivity

Office365

list_activity_for_ip

Lists Office/O365 Activity for Caller IP Address(es)

end (datetime), ip_address_list (list), start (datetime)

OfficeActivity

Office365

list_activity_for_resource

Lists Office/O365 Activity for a Resource (OfficeObjectId)

end (datetime), resource_id (str), start (datetime)

OfficeActivity

SecurityAlert

get_alert

Retrieves a single alert by SystemAlertId

system_alert_id (str)

SecurityAlert

SecurityAlert

list_alerts

Returns security alerts for a given time range

end (datetime), start (datetime)

SecurityAlert

SecurityAlert

list_alerts_counts

Returns summary count of alerts by type

end (datetime), start (datetime)

SecurityAlert

SecurityAlert

list_alerts_for_ip

Returns alerts with the specified IP Address or addresses.

end (datetime), source_ip_list (str), start (datetime)

SecurityAlert

SecurityAlert

list_related_alerts

Returns alerts with a host, account or process entity

end (datetime), start (datetime)

SecurityAlert

ThreatIntelligence

list_indicators

Returns list of all current indicators.

end (datetime), start (datetime)

ThreatIntelligenceIndicator

ThreatIntelligence

list_indicators_by_domain

Returns list of indicators by domain

domain_list (list), end (datetime), start (datetime)

ThreatIntelligenceIndicator

ThreatIntelligence

list_indicators_by_email

Returns list of indicators by email address

end (datetime), observables (list), start (datetime)

ThreatIntelligenceIndicator

ThreatIntelligence

list_indicators_by_filepath

Returns list of indicators by file path

end (datetime), observables (list), start (datetime)

ThreatIntelligenceIndicator

ThreatIntelligence

list_indicators_by_hash

Returns list of indicators by file hash

end (datetime), file_hash_list (list), start (datetime)

ThreatIntelligenceIndicator

ThreatIntelligence

list_indicators_by_ip

Returns list of indicators by IP Address

end (datetime), ip_address_list (list), start (datetime)

ThreatIntelligenceIndicator

ThreatIntelligence

list_indicators_by_url

Returns list of indicators by URL

end (datetime), start (datetime), url_list (list)

ThreatIntelligenceIndicator

WindowsSecurity

account_change_events

Returns events related to account changes

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

get_host_logon

Returns the logon event for the logon session id on a host

end (datetime), host_name (str), logon_session_id (str), start (datetime)

SecurityEvent

WindowsSecurity

get_parent_process

Returns the parent process of process (process id, session id and host name)

end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime)

SecurityEvent

WindowsSecurity

get_process_tree

Returns the process tree for process id, session id and host name.

end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_all_logons_by_host

Returns all failed or successful logons on a host

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_events

Retrieves list of all events

end (datetime), start (datetime)

SecurityEvent

WindowsSecurity

list_events_by_id

Returns list of events on a host by EventID

end (datetime), event_list (list), start (datetime)

SecurityEvent

WindowsSecurity

list_host_events

Returns list of all events on a host

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_host_events_by_id

Returns list of specified event IDs on a host

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_host_logon_failures

Returns the logon failure events on a host for time range

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_host_logons

Returns the logon events on a host for time range

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_host_processes

Returns list of processes on a host for a time range

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_hosts_matching_commandline

Returns processes on hosts with matching command line

commandline (str), end (datetime), process_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_logon_attempts_by_account

Retrieves all logon events for an account (all hosts)

account_name (str), end (datetime), start (datetime)

SecurityEvent

WindowsSecurity

list_logon_attempts_by_ip

Returns the logon events for an IP Address (all hosts)

end (datetime), ip_address (str), start (datetime)

SecurityEvent

WindowsSecurity

list_logon_failures_by_account

Returns the logon failure events for an account (all hosts)

account_name (str), end (datetime), start (datetime)

SecurityEvent

WindowsSecurity

list_logons_by_account

Returns the logon success events for an account (all hosts)

account_name (str), end (datetime), start (datetime)

SecurityEvent

WindowsSecurity

list_matching_processes

Returns list of processes matching process name (all hosts)

end (datetime), process_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_other_events

Returns list of events other than logon and process on a host

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

list_processes_in_session

Returns all processes on the host for a logon session

end (datetime), host_name (str), logon_session_id (str), start (datetime)

SecurityEvent

WindowsSecurity

notable_events

Return other significant Windows events not returned in other queries

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

schdld_tasks_and_services

Returns scheduled tasks and services events (4698, 4700, 4697, 4702)

end (datetime), host_name (str), start (datetime)

SecurityEvent

WindowsSecurity

summarize_events

Summarize the events on a host by event type

end (datetime), host_name (str), start (datetime)

SecurityEvent

Queries for Microsoft 365 Defender

Data Environment identifier: M365D

QueryGroup

Query

Description

Req-Params

Table

IdentityOnPrem

logons_for_account

Return all Active Directory on-premises user logons for user name

account_name (str), end (datetime), start (datetime)

IdentityLogonEvents

IdentityOnPrem

logons_for_host

Return all Active Directory on-premises user logons for host/device name

end (datetime), host_name (str), start (datetime)

IdentityLogonEvents

IdentityOnPrem

logons_for_ip

Return all Active Directory on-premises user logons for ip address

end (datetime), ip_address (str), start (datetime)

IdentityLogonEvents

M365D

application_alerts

Lists alerts associated with a cloud app or OAuth app

app_name (str), end (datetime), start (datetime)

AlertInfo

M365D

host_alerts

Lists alerts associated with host/device name

end (datetime), host_name (str), start (datetime)

AlertInfo

M365D

host_connections

Returns connections by a specified hostname

end (datetime), host_name (str), start (datetime)

DeviceNetworkEvents

M365D

ip_alerts

Lists alerts associated with a specified remote IP

end (datetime), ip_address (str), start (datetime)

AlertInfo

M365D

ip_connections

Returns network connections associated with a specified remote IP

end (datetime), ip_address (str), start (datetime)

DeviceNetworkEvents

M365D

list_alerts

Retrieves list of alerts

end (datetime), start (datetime)

AlertInfo

M365D

list_alerts_with_evidence

Retrieves list of alerts with their evidence

end (datetime), start (datetime)

AlertInfo

M365D

list_connections

Retrieves list of all network connections

end (datetime), start (datetime)

DeviceNetworkEvents

M365D

list_file_events_for_filename

Lists all file events by filename

end (datetime), file_name (str), start (datetime)

DeviceFileEvents

M365D

list_file_events_for_hash

Lists all file events by hash

end (datetime), file_hash (str), start (datetime)

DeviceFileEvents

M365D

list_file_events_for_host

Lists all file events for a host/device

end (datetime), start (datetime)

DeviceFileEvents

M365D

list_file_events_for_path

Lists all file events from files in a certain path

end (datetime), path (str), start (datetime)

DeviceFileEvents

M365D

list_host_processes

Return all process creations for a host for the specified time range

end (datetime), host_name (str), start (datetime)

DeviceProcessEvents

M365D

mail_message_alerts

Lists alerts associated with a specified mail message

end (datetime), message_id (str), start (datetime)

AlertInfo

M365D

mailbox_alerts

Lists alerts associated with a specified mailbox

end (datetime), mailbox (str), start (datetime)

AlertInfo

M365D

process_alerts

Lists alerts associated with a specified process

end (datetime), file_name (str), start (datetime)

AlertInfo

M365D

process_cmd_line

Lists all processes with a command line containing a string (all hosts)

cmd_line (str), end (datetime), start (datetime)

DeviceProcessEvents

M365D

process_creations

Return all processes with matching name or hash (all hosts)

end (datetime), process_identifier (str), start (datetime)

DeviceProcessEvents

M365D

process_paths

Return all processes with a matching path (part path) (all hosts)

end (datetime), file_path (str), start (datetime)

DeviceProcessEvents

M365D

protocol_connections

Returns connections associated with a specified protocol (port number)

end (datetime), protocol (str), start (datetime)

DeviceNetworkEvents

M365D

registry_key_alerts

Lists alerts associated with a specified registry key

end (datetime), key_name (str), start (datetime)

AlertInfo

M365D

sha1_alerts

Lists alerts associated with a specified SHA1 hash

end (datetime), file_hash (str), start (datetime)

AlertInfo

M365D

sha256_alerts

Lists alerts associated with a specified SHA256 hash

end (datetime), file_hash (str), start (datetime)

AlertInfo

M365D

url_alerts

Lists alerts associated with a specified URL

end (datetime), start (datetime), url (str)

AlertInfo

M365D

url_connections

Returns connections associated with a specified URL

end (datetime), start (datetime), url (str)

DeviceNetworkEvents

M365D

user_alerts

Lists alerts associated with a specified user

account_name (str), end (datetime), start (datetime)

AlertInfo

M365D

user_files

Return all files created by a user

account_name (str), end (datetime), start (datetime)

M365D

user_logons

Return all user logons for user name

account_name (str), end (datetime), start (datetime)

M365D

user_network

Return all network connections associated with a user

account_name (str), end (datetime), start (datetime)

M365D

user_processes

Return all processes created by a user

account_name (str), end (datetime), start (datetime)

M365DHunting

accessibility_persistence

This query looks for persistence or privilege escalation done using Windows Accessibility features.

M365DHunting

av_sites

Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites

M365DHunting

b64_pe

Finding base64 encoded PE files header seen in the command line parameters

M365DHunting

brute_force

Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.

M365DHunting

cve_2018_1000006l

Looks for CVE-2018-1000006 exploitation

M365DHunting

cve_2018_1111

Looks for CVE-2018-1111 exploitation

M365DHunting

cve_2018_4878

This query checks for specific processes and domain TLD used in the CVE-2018-4878

M365DHunting

doc_with_link

Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download.

M365DHunting

dropbox_link

Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site.

M365DHunting

email_link

Look for links opened from mail apps – if a detection occurred right afterwards

M365DHunting

email_smartscreen

Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning

M365DHunting

malware_recycle

Finding attackers hiding malware in the recycle bin.

M365DHunting

network_scans

Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process

M365DHunting

powershell_downloads

Finds PowerShell execution events that could involve a download.

M365DHunting

service_account_powershell

Service Accounts Performing Remote PowerShell

M365DHunting

smartscreen_ignored

Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless.

M365DHunting

smb_discovery

Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares.

M365DHunting

tor

Looks for Tor client, or for a common Tor plugin called Meek.

M365DHunting

uncommon_powershell

Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.

host_name (str), timestamp (str)

M365DHunting

user_enumeration

The query finds attempts to list users or groups using Net commands

MDEHunting

accessibility_persistence

This query looks for persistence or privilege escalation done using Windows Accessibility features.

MDEHunting

av_sites

Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites

MDEHunting

b64_pe

Finding base64 encoded PE files header seen in the command line parameters

MDEHunting

brute_force

Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.

MDEHunting

cve_2018_1000006l

Looks for CVE-2018-1000006 exploitation

MDEHunting

cve_2018_1111

Looks for CVE-2018-1111 exploitation

MDEHunting

cve_2018_4878

This query checks for specific processes and domain TLD used in the CVE-2018-4878

MDEHunting

doc_with_link

Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download.

MDEHunting

dropbox_link

Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site.

MDEHunting

email_link

Look for links opened from mail apps – if a detection occurred right afterwards

MDEHunting

email_smartscreen

Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning

MDEHunting

malware_recycle

Finding attackers hiding malware in the recycle bin.

MDEHunting

network_scans

Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process

MDEHunting

powershell_downloads

Finds PowerShell execution events that could involve a download.

MDEHunting

service_account_powershell

Service Accounts Performing Remote PowerShell

MDEHunting

smartscreen_ignored

Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless.

MDEHunting

smb_discovery

Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares.

MDEHunting

tor

Looks for Tor client, or for a common Tor plugin called Meek.

MDEHunting

uncommon_powershell

Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period.

host_name (str), timestamp (str)

MDEHunting

user_enumeration

The query finds attempts to list users or groups using Net commands

Queries for Microsoft Graph

Data Environment identifier: SecurityGraph

QueryGroup

Query

Description

Req-Params

Table

SecurityGraphAlert

get_alert

Retrieves a single alert by AlertId

alert_id (str)

SecurityGraphAlert

list_alerts

Retrieves list of alerts

end (datetime), start (datetime)

SecurityGraphAlert

list_alerts_for_file

Retrieves list of alerts for file name, path or hash

end (datetime), start (datetime)

SecurityGraphAlert

list_alerts_for_host

Retrieves list of alerts for a hostname or FQDN

end (datetime), host_name (str), start (datetime)

SecurityGraphAlert

list_alerts_for_ip

Retrieves list of alerts for a IP Address

end (datetime), ip_address (str), start (datetime)

SecurityGraphAlert

list_alerts_for_user

Retrieves list of alerts for a user account

end (datetime), start (datetime)

SecurityGraphAlert

list_related_alerts

Retrieves list of alerts with a common entity

end (datetime), start (datetime)

Queries for Splunk

Data Environment identifier: Splunk

QueryGroup

Query

Description

Req-Params

Table

Alerts

list_alerts

Retrieves list of alerts

end (datetime), start (datetime)

Alerts

list_alerts_for_dest_ip

Retrieves list of alerts with a common destination IP Address

end (datetime), ip_address (str), start (datetime)

Alerts

list_alerts_for_src_ip

Retrieves list of alerts with a common source IP Address

end (datetime), ip_address (str), start (datetime)

Alerts

list_alerts_for_user

Retrieves list of alerts with a common username

end (datetime), start (datetime), user (str)

Alerts

list_all_alerts

Retrieves all configured alerts

end (datetime), start (datetime)

Authentication

list_logon_failures

All failed user logon events on any host

end (datetime), start (datetime)

Authentication

list_logons_for_account

All successful user logon events for account (all hosts)

account_name (str), end (datetime), start (datetime)

Authentication

list_logons_for_host

All logon events on a host

end (datetime), host_name (str), start (datetime)

Authentication

list_logons_for_source_ip

All successful user logon events for source IP (all hosts)

end (datetime), ip_address (str), start (datetime)

SplunkGeneral

get_events_parameterized

Generic parameterized query from index/source

end (datetime), start (datetime)

SplunkGeneral

list_all_datatypes

Summary of all events by index and sourcetype

end (datetime), start (datetime)

SplunkGeneral

list_all_savedsearches

Retrieves all saved searches

end (datetime), start (datetime)

audittrail

list_all_audittrail

Retrieves all audit trail logs

end (datetime), start (datetime)

Queries for Azure Resource Graph

Data Environment identifier: ResourceGraph

QueryGroup

Query

Description

Req-Params

Table

ResourceGraph

list_detailed_virtual_machines

Retrieves list of VMs with network details

resources

ResourceGraph

list_public_ips

Retrieves list of resources with public IP addresses

resources

ResourceGraph

list_resources

Retrieves list of resources

resources

ResourceGraph

list_resources_by_api_version

Retrieves list of resources for each API version

resources

ResourceGraph

list_resources_by_type

Retrieves list of resources by type

resource_type (str)

resources

ResourceGraph

list_virtual_machines

Retrieves list of VM resources

resources

Sentinel

get_sentinel_workspace_for_resource_id

Retrieves Sentinel/Azure monitor workspace details by resource ID

resource_id (str)

resources

Sentinel

get_sentinel_workspace_for_workspace_id

Retrieves Sentinel/Azure monitor workspace details by workspace ID

workspace_id (str)

resources

Sentinel

list_sentinel_workspaces_for_name

Retrieves Sentinel/Azure monitor workspace(s) details by name and optionally resource group and/or subscription_id

workspace_name (str)

resources

Queries for Sumologic

Data Environment identifier: Sumologic

QueryGroup

Query

Description

Req-Params

Table

SumologicGeneral

list_all_datatypes

Summary of all events by sourceCategory

end (datetime), start (datetime)

Queries for Local Data

Data Environment identifier: LocalData

QueryGroup

Query

Description

Req-Params

Table

Azure

list_all_signins_geo

List all Azure AD logon events

Network

list_azure_network_flows_by_host

List Azure Network flows by host name

Network

list_azure_network_flows_by_ip

List Azure Network flows by IP address

SecurityAlert

list_alerts

Retrieves list of alerts

WindowsSecurity

get_process_tree

Get process tree for a process

WindowsSecurity

list_host_events

List events failures on host

WindowsSecurity

list_host_logon_failures

List logon failures on host

WindowsSecurity

list_host_logons

List logons on host

WindowsSecurity

list_host_processes

List processes on host