Data Queries Reference
Queries for Microsoft Sentinel
Data Environment identifier: MSSentinel
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
Azure |
get_vmcomputer_for_host |
Returns most recent VMComputer record for Host |
end (datetime), host_name (str), start (datetime) |
VMComputer |
Azure |
get_vmcomputer_for_ip |
Returns most recent VMComputer record for IPAddress |
end (datetime), ip_address (str), start (datetime) |
VMComputer |
Azure |
list_aad_signins_for_account |
Returns Azure AD Signins for Account |
end (datetime), start (datetime) |
SigninLogs |
Azure |
list_aad_signins_for_ip |
Returns Azure AD Signins for an IP Address |
end (datetime), ip_address_list (list), start (datetime) |
SigninLogs |
Azure |
list_all_signins_geo |
Gets Signin data used by morph charts |
end (datetime), start (datetime) |
SigninLogs |
Azure |
list_azure_activity_for_account |
Returns Azure Activity for Account |
account_name (str), end (datetime), start (datetime) |
AzureActivity |
Azure |
list_azure_activity_for_ip |
Returns Azure Activity for Caller IP Address(es) |
end (datetime), ip_address_list (list), start (datetime) |
AzureActivity |
Azure |
list_azure_activity_for_resource |
Returns Azure Activity for an Azure Resource ID |
end (datetime), resource_id (str), start (datetime) |
AzureActivity |
Azure |
list_storage_ops_for_hash |
Returns Azure Storage Operations for an MD5 file hash |
end (datetime), file_hash (str), start (datetime) |
StorageFileLogs |
Azure |
list_storage_ops_for_ip |
Returns Storage Operations for an IP Address |
end (datetime), ip_address (str), start (datetime) |
StorageFileLogs |
AzureNetwork |
all_network_connections_csl |
Returns all network connections for a time range (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
AzureNetwork |
az_net_analytics |
Returns all Azure Network Flow (NSG) Data for a given host |
end (datetime), start (datetime) |
AzureNetworkAnalytics_CL |
AzureNetwork |
dns_lookups_for_domain |
Returns DNS query events for a specified domain |
domain (str), end (datetime), start (datetime) |
DnsEvents |
AzureNetwork |
dns_lookups_for_ip |
Returns Dns query events that contain a resolved IP address |
end (datetime), ip_address (str), start (datetime) |
DnsEvents |
AzureNetwork |
dns_lookups_from_ip |
Returns Dns queries originating from a specified IP address |
end (datetime), ip_address (str), start (datetime) |
DnsEvents |
AzureNetwork |
get_heartbeat_for_host |
Returns latest OMS Heartbeat event for host. |
end (datetime), host_name (str), start (datetime) |
Heartbeat |
AzureNetwork |
get_heartbeat_for_ip |
Returns latest OMS Heartbeat event for ip address. |
end (datetime), ip_address (str), start (datetime) |
Heartbeat |
AzureNetwork |
get_host_for_ip |
Returns the most recent Azure NSG Interface event for an IP Address. |
end (datetime), ip_address (str), start (datetime) |
AzureNetworkAnalytics_CL |
AzureNetwork |
get_ips_for_host |
Returns the most recent Azure Network NSG Interface event for a host. |
end (datetime), host_name (str), start (datetime) |
AzureNetworkAnalytics_CL |
AzureNetwork |
host_network_connections_csl |
Returns network connections to and from a host (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
AzureNetwork |
hosts_by_ip_csl |
Returns hosts associated with a IP addresses (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
AzureNetwork |
ip_network_connections_csl |
Returns network connections to and from an IP address (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
AzureNetwork |
ips_by_host_csl |
Returns all IP addresses associated with a host (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
AzureNetwork |
list_azure_network_flows_by_host |
Returns Azure NSG flow events for a host. |
end (datetime), host_name (str), start (datetime) |
AzureNetworkAnalytics_CL |
AzureNetwork |
list_azure_network_flows_by_ip |
Returns Azure NSG flow events for an IP Address. |
end (datetime), ip_address_list (list), start (datetime) |
AzureNetworkAnalytics_CL |
AzureNetwork |
network_connections_to_url |
Returns connections to a URL or domain (CommonSecurityLog) |
end (datetime), start (datetime), url (str) |
CommonSecurityLog |
AzureSentinel |
get_bookmark_by_id |
Returns a single Bookmark by BookmarkId |
bookmark_id (str), end (datetime), start (datetime) |
HuntingBookmark |
AzureSentinel |
get_bookmark_by_name |
Retrieves one or more Bookmarks by Bookmark Name |
bookmark_name (str), end (datetime), start (datetime) |
HuntingBookmark |
AzureSentinel |
get_dynamic_summary_by_id |
Returns a Dynamic Summary by SummaryId |
end (datetime), start (datetime), summary_id (str) |
DynamicSummary |
AzureSentinel |
get_dynamic_summary_by_name |
Returns a Dynamic Summary by Name |
end (datetime), start (datetime), summary_name (str) |
DynamicSummary |
AzureSentinel |
list_bookmarks |
Retrieves list of bookmarks for a time range |
end (datetime), start (datetime) |
HuntingBookmark |
AzureSentinel |
list_bookmarks_for_entity |
Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier |
end (datetime), start (datetime) |
HuntingBookmark |
AzureSentinel |
list_bookmarks_for_tags |
Returns Bookmark by one or more Tags |
bookmark_tags (list), end (datetime), start (datetime) |
HuntingBookmark |
AzureSentinel |
list_dynamic_summaries |
Returns all Dynamic Summaries by time range |
end (datetime), start (datetime) |
DynamicSummary |
Heartbeat |
get_heartbeat_for_host |
Returns latest OMS Heartbeat event for host. |
end (datetime), host_name (str), start (datetime) |
Heartbeat |
Heartbeat |
get_heartbeat_for_ip |
Returns latest OMS Heartbeat event for ip address. |
end (datetime), ip_address (str), start (datetime) |
Heartbeat |
Heartbeat |
get_info_by_hostname |
Deprecated - use ‘get_heartbeat_for_host’ |
end (datetime), host_name (str), start (datetime) |
Heartbeat |
Heartbeat |
get_info_by_ipaddress |
Deprecated - use ‘get_heartbeat_for_ip’ |
end (datetime), ip_address (str), start (datetime) |
Heartbeat |
IdentityOnPrem |
logons_for_account |
Return all Active Directory on-premises user logons for user name |
account_name (str), end (datetime), start (datetime) |
IdentityLogonEvents |
IdentityOnPrem |
logons_for_host |
Return all Active Directory on-premises user logons for host/device name |
end (datetime), host_name (str), start (datetime) |
IdentityLogonEvents |
IdentityOnPrem |
logons_for_ip |
Return all Active Directory on-premises user logons for ip address |
end (datetime), ip_address (str), start (datetime) |
IdentityLogonEvents |
LinuxAudit |
auditd_all |
Extract all audit messages grouped by mssg_id |
end (datetime), start (datetime) |
AuditLog_CL |
LinuxSyslog |
all_syslog |
Returns all syslog activity for a host |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
cron_activity |
Returns all cron activity for a host |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
list_account_logon_failures |
All failed user logon events for account name |
account_name (str), end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
list_host_logon_failures |
Failed user logon events on a host |
end (datetime), host_name (str), start (datetime) |
Syslog |
LinuxSyslog |
list_ip_logon_failures |
Failed user logon events from an IP address |
end (datetime), ip_address (str), start (datetime) |
Syslog |
LinuxSyslog |
list_logon_failures |
All failed user logon events on any host |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
list_logons_for_account |
Successful user logon events for account name (all hosts) |
account_name (str), end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
list_logons_for_host |
All logon events on a host |
end (datetime), host_name (str), start (datetime) |
Syslog |
LinuxSyslog |
list_logons_for_source_ip |
Successful user logon events for source IP (all hosts) |
end (datetime), ip_address (str), start (datetime) |
Syslog |
LinuxSyslog |
notable_events |
Returns all ‘alert’ and ‘crit’ syslog activity for a host |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
squid_activity |
Returns all squid proxy activity for a host |
end (datetime), host_name (str), start (datetime) |
Syslog |
LinuxSyslog |
sudo_activity |
Returns all sudo activity for a host and account name |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
summarize_events |
Returns summarized syslog activity for a host |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
sysmon_process_events |
Sysmon Process Events on host |
end (datetime), host_name (str), start (datetime) |
|
LinuxSyslog |
user_group_activity |
Returns all user/group additions, deletions, and modifications for a host |
end (datetime), start (datetime) |
Syslog |
LinuxSyslog |
user_logon |
User logon events on a host |
end (datetime), host_name (str), start (datetime) |
Syslog |
M365D |
application_alerts |
Lists alerts associated with a cloud app or OAuth app |
app_name (str), end (datetime), start (datetime) |
AlertInfo |
M365D |
host_alerts |
Lists alerts associated with host/device name |
end (datetime), host_name (str), start (datetime) |
AlertInfo |
M365D |
host_connections |
Returns connections by a specified hostname |
end (datetime), host_name (str), start (datetime) |
DeviceNetworkEvents |
M365D |
ip_alerts |
Lists alerts associated with a specified remote IP |
end (datetime), ip_address (str), start (datetime) |
AlertInfo |
M365D |
ip_connections |
Returns network connections associated with a specified remote IP |
end (datetime), ip_address (str), start (datetime) |
DeviceNetworkEvents |
M365D |
list_alerts |
Retrieves list of alerts |
end (datetime), start (datetime) |
AlertInfo |
M365D |
list_alerts_with_evidence |
Retrieves list of alerts with their evidence |
end (datetime), start (datetime) |
AlertInfo |
M365D |
list_connections |
Retrieves list of all network connections |
end (datetime), start (datetime) |
DeviceNetworkEvents |
M365D |
list_file_events_for_filename |
Lists all file events by filename |
end (datetime), file_name (str), start (datetime) |
DeviceFileEvents |
M365D |
list_file_events_for_hash |
Lists all file events by hash |
end (datetime), file_hash (str), start (datetime) |
DeviceFileEvents |
M365D |
list_file_events_for_host |
Lists all file events for a host/device |
end (datetime), start (datetime) |
DeviceFileEvents |
M365D |
list_file_events_for_path |
Lists all file events from files in a certain path |
end (datetime), path (str), start (datetime) |
DeviceFileEvents |
M365D |
list_host_processes |
Return all process creations for a host for the specified time range |
end (datetime), host_name (str), start (datetime) |
DeviceProcessEvents |
M365D |
mail_message_alerts |
Lists alerts associated with a specified mail message |
end (datetime), message_id (str), start (datetime) |
AlertInfo |
M365D |
mailbox_alerts |
Lists alerts associated with a specified mailbox |
end (datetime), mailbox (str), start (datetime) |
AlertInfo |
M365D |
process_alerts |
Lists alerts associated with a specified process |
end (datetime), file_name (str), start (datetime) |
AlertInfo |
M365D |
process_cmd_line |
Lists all processes with a command line containing a string (all hosts) |
cmd_line (str), end (datetime), start (datetime) |
DeviceProcessEvents |
M365D |
process_creations |
Return all processes with matching name or hash (all hosts) |
end (datetime), process_identifier (str), start (datetime) |
DeviceProcessEvents |
M365D |
process_paths |
Return all processes with a matching path (part path) (all hosts) |
end (datetime), file_path (str), start (datetime) |
DeviceProcessEvents |
M365D |
protocol_connections |
Returns connections associated with a specified protocol (port number) |
end (datetime), protocol (str), start (datetime) |
DeviceNetworkEvents |
M365D |
registry_key_alerts |
Lists alerts associated with a specified registry key |
end (datetime), key_name (str), start (datetime) |
AlertInfo |
M365D |
sha1_alerts |
Lists alerts associated with a specified SHA1 hash |
end (datetime), file_hash (str), start (datetime) |
AlertInfo |
M365D |
sha256_alerts |
Lists alerts associated with a specified SHA256 hash |
end (datetime), file_hash (str), start (datetime) |
AlertInfo |
M365D |
url_alerts |
Lists alerts associated with a specified URL |
end (datetime), start (datetime), url (str) |
AlertInfo |
M365D |
url_connections |
Returns connections associated with a specified URL |
end (datetime), start (datetime), url (str) |
DeviceNetworkEvents |
M365D |
user_alerts |
Lists alerts associated with a specified user |
account_name (str), end (datetime), start (datetime) |
AlertInfo |
M365D |
user_files |
Return all files created by a user |
account_name (str), end (datetime), start (datetime) |
|
M365D |
user_logons |
Return all user logons for user name |
account_name (str), end (datetime), start (datetime) |
|
M365D |
user_network |
Return all network connections associated with a user |
account_name (str), end (datetime), start (datetime) |
|
M365D |
user_processes |
Return all processes created by a user |
account_name (str), end (datetime), start (datetime) |
|
M365DHunting |
accessibility_persistence |
This query looks for persistence or privilege escalation done using Windows Accessibility features. |
end (datetime), start (datetime) |
|
M365DHunting |
av_sites |
Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites |
end (datetime), start (datetime) |
|
M365DHunting |
b64_pe |
Finding base64 encoded PE files header seen in the command line parameters |
end (datetime), start (datetime) |
|
M365DHunting |
brute_force |
Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. |
end (datetime), start (datetime) |
|
M365DHunting |
cve_2018_1000006l |
Looks for CVE-2018-1000006 exploitation |
end (datetime), start (datetime) |
|
M365DHunting |
cve_2018_1111 |
Looks for CVE-2018-1111 exploitation |
end (datetime), start (datetime) |
|
M365DHunting |
cve_2018_4878 |
This query checks for specific processes and domain TLD used in the CVE-2018-4878 |
end (datetime), start (datetime) |
|
M365DHunting |
doc_with_link |
Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. |
end (datetime), start (datetime) |
|
M365DHunting |
dropbox_link |
Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. |
end (datetime), start (datetime) |
|
M365DHunting |
email_link |
Look for links opened from mail apps – if a detection occurred right afterwards |
end (datetime), start (datetime) |
|
M365DHunting |
email_smartscreen |
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning |
end (datetime), start (datetime) |
|
M365DHunting |
malware_recycle |
Finding attackers hiding malware in the recycle bin. |
end (datetime), start (datetime) |
|
M365DHunting |
network_scans |
Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process |
end (datetime), start (datetime) |
|
M365DHunting |
powershell_downloads |
Finds PowerShell execution events that could involve a download. |
end (datetime), start (datetime) |
|
M365DHunting |
service_account_powershell |
Service Accounts Performing Remote PowerShell |
end (datetime), start (datetime) |
|
M365DHunting |
smartscreen_ignored |
Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. |
end (datetime), start (datetime) |
|
M365DHunting |
smb_discovery |
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. |
end (datetime), start (datetime) |
|
M365DHunting |
tor |
Looks for Tor client, or for a common Tor plugin called Meek. |
end (datetime), start (datetime) |
|
M365DHunting |
uncommon_powershell |
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. |
end (datetime), host_name (str), start (datetime), timestamp (str) |
|
M365DHunting |
user_enumeration |
The query finds attempts to list users or groups using Net commands |
end (datetime), start (datetime) |
|
MDEHunting |
accessibility_persistence |
This query looks for persistence or privilege escalation done using Windows Accessibility features. |
end (datetime), start (datetime) |
|
MDEHunting |
av_sites |
Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites |
end (datetime), start (datetime) |
|
MDEHunting |
b64_pe |
Finding base64 encoded PE files header seen in the command line parameters |
end (datetime), start (datetime) |
|
MDEHunting |
brute_force |
Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. |
end (datetime), start (datetime) |
|
MDEHunting |
cve_2018_1000006l |
Looks for CVE-2018-1000006 exploitation |
end (datetime), start (datetime) |
|
MDEHunting |
cve_2018_1111 |
Looks for CVE-2018-1111 exploitation |
end (datetime), start (datetime) |
|
MDEHunting |
cve_2018_4878 |
This query checks for specific processes and domain TLD used in the CVE-2018-4878 |
end (datetime), start (datetime) |
|
MDEHunting |
doc_with_link |
Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. |
end (datetime), start (datetime) |
|
MDEHunting |
dropbox_link |
Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. |
end (datetime), start (datetime) |
|
MDEHunting |
email_link |
Look for links opened from mail apps – if a detection occurred right afterwards |
end (datetime), start (datetime) |
|
MDEHunting |
email_smartscreen |
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning |
end (datetime), start (datetime) |
|
MDEHunting |
malware_recycle |
Finding attackers hiding malware in the recycle bin. |
end (datetime), start (datetime) |
|
MDEHunting |
network_scans |
Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process |
end (datetime), start (datetime) |
|
MDEHunting |
powershell_downloads |
Finds PowerShell execution events that could involve a download. |
end (datetime), start (datetime) |
|
MDEHunting |
service_account_powershell |
Service Accounts Performing Remote PowerShell |
end (datetime), start (datetime) |
|
MDEHunting |
smartscreen_ignored |
Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. |
end (datetime), start (datetime) |
|
MDEHunting |
smb_discovery |
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. |
end (datetime), start (datetime) |
|
MDEHunting |
tor |
Looks for Tor client, or for a common Tor plugin called Meek. |
end (datetime), start (datetime) |
|
MDEHunting |
uncommon_powershell |
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. |
end (datetime), host_name (str), start (datetime), timestamp (str) |
|
MDEHunting |
user_enumeration |
The query finds attempts to list users or groups using Net commands |
end (datetime), start (datetime) |
|
MSSentinel |
get_bookmark_by_id |
Returns a single Bookmark by BookmarkId |
bookmark_id (str), end (datetime), start (datetime) |
HuntingBookmark |
MSSentinel |
get_bookmark_by_name |
Retrieves one or more Bookmarks by Bookmark Name |
bookmark_name (str), end (datetime), start (datetime) |
HuntingBookmark |
MSSentinel |
get_dynamic_summary_by_id |
Returns a Dynamic Summary by SummaryId |
end (datetime), start (datetime), summary_id (str) |
DynamicSummary |
MSSentinel |
get_dynamic_summary_by_name |
Returns a Dynamic Summary by Name |
end (datetime), start (datetime), summary_name (str) |
DynamicSummary |
MSSentinel |
list_bookmarks |
Retrieves list of bookmarks for a time range |
end (datetime), start (datetime) |
HuntingBookmark |
MSSentinel |
list_bookmarks_for_entity |
Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier |
end (datetime), start (datetime) |
HuntingBookmark |
MSSentinel |
list_bookmarks_for_tags |
Returns Bookmark by one or more Tags |
bookmark_tags (list), end (datetime), start (datetime) |
HuntingBookmark |
MSSentinel |
list_dynamic_summaries |
Returns all Dynamic Summaries by time range |
end (datetime), start (datetime) |
DynamicSummary |
MultiDataSource |
get_timeseries_anomalies |
Time Series filtered anomalies using native KQL analysis (series_decompose_anomalies) |
end (datetime), start (datetime), table (str) |
na |
MultiDataSource |
get_timeseries_data |
Generic query to return TimeSeriesData for use with native KQL time series functions |
end (datetime), start (datetime), table (str) |
na |
MultiDataSource |
get_timeseries_decompose |
Generic Time Series decomposition using native KQL analysis (series_decompose) |
end (datetime), start (datetime), table (str) |
na |
MultiDataSource |
plot_timeseries_datawithbaseline |
Plot of Time Series data using native KQL analysis and plot rendering (KQLMagic only) |
end (datetime), start (datetime), table (str) |
na |
MultiDataSource |
plot_timeseries_scoreanomolies |
Plot Time Series anomaly score using native KQL render (KQLMagic only) |
end (datetime), start (datetime), table (str) |
na |
Network |
all_network_connections_csl |
Returns all network connections for a time range (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
Network |
get_heartbeat_for_host |
Returns latest OMS Heartbeat event for host. |
end (datetime), host_name (str), start (datetime) |
Heartbeat |
Network |
get_heartbeat_for_ip |
Returns latest OMS Heartbeat event for ip address. |
end (datetime), ip_address (str), start (datetime) |
Heartbeat |
Network |
get_host_for_ip |
Returns the most recent Azure NSG Interface event for an IP Address. |
end (datetime), ip_address (str), start (datetime) |
AzureNetworkAnalytics_CL |
Network |
get_ips_for_host |
Returns the most recent Azure Network NSG Interface event for a host. |
end (datetime), host_name (str), start (datetime) |
AzureNetworkAnalytics_CL |
Network |
host_network_connections_csl |
Returns network connections to and from a host (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
Network |
hosts_by_ip_csl |
Returns hosts associated with a IP addresses (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
Network |
ip_network_connections_csl |
Returns network connections to and from an IP address (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
Network |
ips_by_host_csl |
Returns all IP addresses associated with a host (CommonSecurityLog) |
end (datetime), start (datetime) |
CommonSecurityLog |
Network |
list_azure_network_flows_by_host |
Returns Azure NSG flow events for a host. |
end (datetime), host_name (str), start (datetime) |
AzureNetworkAnalytics_CL |
Network |
list_azure_network_flows_by_ip |
Returns Azure NSG flow events for an IP Address. |
end (datetime), ip_address_list (list), start (datetime) |
AzureNetworkAnalytics_CL |
Network |
network_connections_to_url |
Returns connections to a URL or domain (CommonSecurityLog) |
end (datetime), start (datetime), url (str) |
CommonSecurityLog |
Office365 |
list_activity_for_account |
Lists Office/O365 Activity for Account |
account_name (str), end (datetime), start (datetime) |
OfficeActivity |
Office365 |
list_activity_for_ip |
Lists Office/O365 Activity for Caller IP Address(es) |
end (datetime), ip_address_list (list), start (datetime) |
OfficeActivity |
Office365 |
list_activity_for_resource |
Lists Office/O365 Activity for a Resource (OfficeObjectId) |
end (datetime), resource_id (str), start (datetime) |
OfficeActivity |
SecurityAlert |
get_alert |
Retrieves a single alert by SystemAlertId |
system_alert_id (str) |
SecurityAlert |
SecurityAlert |
list_alerts |
Returns security alerts for a given time range |
end (datetime), start (datetime) |
SecurityAlert |
SecurityAlert |
list_alerts_counts |
Returns summary count of alerts by type |
end (datetime), start (datetime) |
SecurityAlert |
SecurityAlert |
list_alerts_for_ip |
Returns alerts with the specified IP Address or addresses. |
end (datetime), source_ip_list (str), start (datetime) |
SecurityAlert |
SecurityAlert |
list_related_alerts |
Returns alerts with a host, account or process entity |
end (datetime), start (datetime) |
SecurityAlert |
ThreatIntelligence |
list_indicators |
Returns list of all current indicators. |
end (datetime), start (datetime) |
ThreatIntelligenceIndicator |
ThreatIntelligence |
list_indicators_by_domain |
Returns list of indicators by domain |
domain_list (list), end (datetime), start (datetime) |
ThreatIntelligenceIndicator |
ThreatIntelligence |
list_indicators_by_email |
Returns list of indicators by email address |
end (datetime), observables (list), start (datetime) |
ThreatIntelligenceIndicator |
ThreatIntelligence |
list_indicators_by_filepath |
Returns list of indicators by file path |
end (datetime), observables (list), start (datetime) |
ThreatIntelligenceIndicator |
ThreatIntelligence |
list_indicators_by_hash |
Returns list of indicators by file hash |
end (datetime), file_hash_list (list), start (datetime) |
ThreatIntelligenceIndicator |
ThreatIntelligence |
list_indicators_by_ip |
Returns list of indicators by IP Address |
end (datetime), ip_address_list (list), start (datetime) |
ThreatIntelligenceIndicator |
ThreatIntelligence |
list_indicators_by_url |
Returns list of indicators by URL |
end (datetime), start (datetime), url_list (list) |
ThreatIntelligenceIndicator |
WindowsSecurity |
account_change_events |
Returns events related to account changes |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
get_host_logon |
Returns the logon event for the logon session id on a host |
end (datetime), host_name (str), logon_session_id (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
get_parent_process |
Returns the parent process of process (process id, session id and host name) |
end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
get_process_tree |
Returns the process tree for process id, session id and host name. |
end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_all_logons_by_host |
Returns all failed or successful logons on a host |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_events |
Retrieves list of all events |
end (datetime), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_events_by_id |
Returns list of events on a host by EventID |
end (datetime), event_list (list), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_host_events |
Returns list of all events on a host |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_host_events_by_id |
Returns list of specified event IDs on a host |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_host_logon_failures |
Returns the logon failure events on a host for time range |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_host_logons |
Returns the logon events on a host for time range |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_host_processes |
Returns list of processes on a host for a time range |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_hosts_matching_commandline |
Returns processes on hosts with matching command line |
commandline (str), end (datetime), process_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_logon_attempts_by_account |
Retrieves all logon events for an account (all hosts) |
account_name (str), end (datetime), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_logon_attempts_by_ip |
Returns the logon events for an IP Address (all hosts) |
end (datetime), ip_address (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_logon_failures_by_account |
Returns the logon failure events for an account (all hosts) |
account_name (str), end (datetime), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_logons_by_account |
Returns the logon success events for an account (all hosts) |
account_name (str), end (datetime), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_matching_processes |
Returns list of processes matching process name (all hosts) |
end (datetime), process_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_other_events |
Returns list of events other than logon and process on a host |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
list_processes_in_session |
Returns all processes on the host for a logon session |
end (datetime), host_name (str), logon_session_id (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
notable_events |
Return other significant Windows events not returned in other queries |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
schdld_tasks_and_services |
Returns scheduled tasks and services events (4698, 4700, 4697, 4702) |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
WindowsSecurity |
summarize_events |
Summarize the events on a host by event type |
end (datetime), host_name (str), start (datetime) |
SecurityEvent |
Queries for Microsoft 365 Defender
Data Environment identifier: M365D
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
IdentityOnPrem |
logons_for_account |
Return all Active Directory on-premises user logons for user name |
account_name (str), end (datetime), start (datetime) |
IdentityLogonEvents |
IdentityOnPrem |
logons_for_host |
Return all Active Directory on-premises user logons for host/device name |
end (datetime), host_name (str), start (datetime) |
IdentityLogonEvents |
IdentityOnPrem |
logons_for_ip |
Return all Active Directory on-premises user logons for ip address |
end (datetime), ip_address (str), start (datetime) |
IdentityLogonEvents |
M365D |
application_alerts |
Lists alerts associated with a cloud app or OAuth app |
app_name (str), end (datetime), start (datetime) |
AlertInfo |
M365D |
host_alerts |
Lists alerts associated with host/device name |
end (datetime), host_name (str), start (datetime) |
AlertInfo |
M365D |
host_connections |
Returns connections by a specified hostname |
end (datetime), host_name (str), start (datetime) |
DeviceNetworkEvents |
M365D |
ip_alerts |
Lists alerts associated with a specified remote IP |
end (datetime), ip_address (str), start (datetime) |
AlertInfo |
M365D |
ip_connections |
Returns network connections associated with a specified remote IP |
end (datetime), ip_address (str), start (datetime) |
DeviceNetworkEvents |
M365D |
list_alerts |
Retrieves list of alerts |
end (datetime), start (datetime) |
AlertInfo |
M365D |
list_alerts_with_evidence |
Retrieves list of alerts with their evidence |
end (datetime), start (datetime) |
AlertInfo |
M365D |
list_connections |
Retrieves list of all network connections |
end (datetime), start (datetime) |
DeviceNetworkEvents |
M365D |
list_file_events_for_filename |
Lists all file events by filename |
end (datetime), file_name (str), start (datetime) |
DeviceFileEvents |
M365D |
list_file_events_for_hash |
Lists all file events by hash |
end (datetime), file_hash (str), start (datetime) |
DeviceFileEvents |
M365D |
list_file_events_for_host |
Lists all file events for a host/device |
end (datetime), start (datetime) |
DeviceFileEvents |
M365D |
list_file_events_for_path |
Lists all file events from files in a certain path |
end (datetime), path (str), start (datetime) |
DeviceFileEvents |
M365D |
list_host_processes |
Return all process creations for a host for the specified time range |
end (datetime), host_name (str), start (datetime) |
DeviceProcessEvents |
M365D |
mail_message_alerts |
Lists alerts associated with a specified mail message |
end (datetime), message_id (str), start (datetime) |
AlertInfo |
M365D |
mailbox_alerts |
Lists alerts associated with a specified mailbox |
end (datetime), mailbox (str), start (datetime) |
AlertInfo |
M365D |
process_alerts |
Lists alerts associated with a specified process |
end (datetime), file_name (str), start (datetime) |
AlertInfo |
M365D |
process_cmd_line |
Lists all processes with a command line containing a string (all hosts) |
cmd_line (str), end (datetime), start (datetime) |
DeviceProcessEvents |
M365D |
process_creations |
Return all processes with matching name or hash (all hosts) |
end (datetime), process_identifier (str), start (datetime) |
DeviceProcessEvents |
M365D |
process_paths |
Return all processes with a matching path (part path) (all hosts) |
end (datetime), file_path (str), start (datetime) |
DeviceProcessEvents |
M365D |
protocol_connections |
Returns connections associated with a specified protocol (port number) |
end (datetime), protocol (str), start (datetime) |
DeviceNetworkEvents |
M365D |
registry_key_alerts |
Lists alerts associated with a specified registry key |
end (datetime), key_name (str), start (datetime) |
AlertInfo |
M365D |
sha1_alerts |
Lists alerts associated with a specified SHA1 hash |
end (datetime), file_hash (str), start (datetime) |
AlertInfo |
M365D |
sha256_alerts |
Lists alerts associated with a specified SHA256 hash |
end (datetime), file_hash (str), start (datetime) |
AlertInfo |
M365D |
url_alerts |
Lists alerts associated with a specified URL |
end (datetime), start (datetime), url (str) |
AlertInfo |
M365D |
url_connections |
Returns connections associated with a specified URL |
end (datetime), start (datetime), url (str) |
DeviceNetworkEvents |
M365D |
user_alerts |
Lists alerts associated with a specified user |
account_name (str), end (datetime), start (datetime) |
AlertInfo |
M365D |
user_files |
Return all files created by a user |
account_name (str), end (datetime), start (datetime) |
|
M365D |
user_logons |
Return all user logons for user name |
account_name (str), end (datetime), start (datetime) |
|
M365D |
user_network |
Return all network connections associated with a user |
account_name (str), end (datetime), start (datetime) |
|
M365D |
user_processes |
Return all processes created by a user |
account_name (str), end (datetime), start (datetime) |
|
M365DHunting |
accessibility_persistence |
This query looks for persistence or privilege escalation done using Windows Accessibility features. |
end (datetime), start (datetime) |
|
M365DHunting |
av_sites |
Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites |
end (datetime), start (datetime) |
|
M365DHunting |
b64_pe |
Finding base64 encoded PE files header seen in the command line parameters |
end (datetime), start (datetime) |
|
M365DHunting |
brute_force |
Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. |
end (datetime), start (datetime) |
|
M365DHunting |
cve_2018_1000006l |
Looks for CVE-2018-1000006 exploitation |
end (datetime), start (datetime) |
|
M365DHunting |
cve_2018_1111 |
Looks for CVE-2018-1111 exploitation |
end (datetime), start (datetime) |
|
M365DHunting |
cve_2018_4878 |
This query checks for specific processes and domain TLD used in the CVE-2018-4878 |
end (datetime), start (datetime) |
|
M365DHunting |
doc_with_link |
Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. |
end (datetime), start (datetime) |
|
M365DHunting |
dropbox_link |
Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. |
end (datetime), start (datetime) |
|
M365DHunting |
email_link |
Look for links opened from mail apps – if a detection occurred right afterwards |
end (datetime), start (datetime) |
|
M365DHunting |
email_smartscreen |
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning |
end (datetime), start (datetime) |
|
M365DHunting |
malware_recycle |
Finding attackers hiding malware in the recycle bin. |
end (datetime), start (datetime) |
|
M365DHunting |
network_scans |
Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process |
end (datetime), start (datetime) |
|
M365DHunting |
powershell_downloads |
Finds PowerShell execution events that could involve a download. |
end (datetime), start (datetime) |
|
M365DHunting |
service_account_powershell |
Service Accounts Performing Remote PowerShell |
end (datetime), start (datetime) |
|
M365DHunting |
smartscreen_ignored |
Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. |
end (datetime), start (datetime) |
|
M365DHunting |
smb_discovery |
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. |
end (datetime), start (datetime) |
|
M365DHunting |
tor |
Looks for Tor client, or for a common Tor plugin called Meek. |
end (datetime), start (datetime) |
|
M365DHunting |
uncommon_powershell |
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. |
end (datetime), host_name (str), start (datetime), timestamp (str) |
|
M365DHunting |
user_enumeration |
The query finds attempts to list users or groups using Net commands |
end (datetime), start (datetime) |
|
MDEHunting |
accessibility_persistence |
This query looks for persistence or privilege escalation done using Windows Accessibility features. |
end (datetime), start (datetime) |
|
MDEHunting |
av_sites |
Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites |
end (datetime), start (datetime) |
|
MDEHunting |
b64_pe |
Finding base64 encoded PE files header seen in the command line parameters |
end (datetime), start (datetime) |
|
MDEHunting |
brute_force |
Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. |
end (datetime), start (datetime) |
|
MDEHunting |
cve_2018_1000006l |
Looks for CVE-2018-1000006 exploitation |
end (datetime), start (datetime) |
|
MDEHunting |
cve_2018_1111 |
Looks for CVE-2018-1111 exploitation |
end (datetime), start (datetime) |
|
MDEHunting |
cve_2018_4878 |
This query checks for specific processes and domain TLD used in the CVE-2018-4878 |
end (datetime), start (datetime) |
|
MDEHunting |
doc_with_link |
Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. |
end (datetime), start (datetime) |
|
MDEHunting |
dropbox_link |
Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. |
end (datetime), start (datetime) |
|
MDEHunting |
email_link |
Look for links opened from mail apps – if a detection occurred right afterwards |
end (datetime), start (datetime) |
|
MDEHunting |
email_smartscreen |
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning |
end (datetime), start (datetime) |
|
MDEHunting |
malware_recycle |
Finding attackers hiding malware in the recycle bin. |
end (datetime), start (datetime) |
|
MDEHunting |
network_scans |
Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process |
end (datetime), start (datetime) |
|
MDEHunting |
powershell_downloads |
Finds PowerShell execution events that could involve a download. |
end (datetime), start (datetime) |
|
MDEHunting |
service_account_powershell |
Service Accounts Performing Remote PowerShell |
end (datetime), start (datetime) |
|
MDEHunting |
smartscreen_ignored |
Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. |
end (datetime), start (datetime) |
|
MDEHunting |
smb_discovery |
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. |
end (datetime), start (datetime) |
|
MDEHunting |
tor |
Looks for Tor client, or for a common Tor plugin called Meek. |
end (datetime), start (datetime) |
|
MDEHunting |
uncommon_powershell |
Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. |
end (datetime), host_name (str), start (datetime), timestamp (str) |
|
MDEHunting |
user_enumeration |
The query finds attempts to list users or groups using Net commands |
end (datetime), start (datetime) |
Queries for Microsoft Graph
Data Environment identifier: SecurityGraph
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
SecurityGraphAlert |
get_alert |
Retrieves a single alert by AlertId |
alert_id (str) |
|
SecurityGraphAlert |
list_alerts |
Retrieves list of alerts |
end (datetime), start (datetime) |
|
SecurityGraphAlert |
list_alerts_for_file |
Retrieves list of alerts for file name, path or hash |
end (datetime), start (datetime) |
|
SecurityGraphAlert |
list_alerts_for_host |
Retrieves list of alerts for a hostname or FQDN |
end (datetime), host_name (str), start (datetime) |
|
SecurityGraphAlert |
list_alerts_for_ip |
Retrieves list of alerts for a IP Address |
end (datetime), ip_address (str), start (datetime) |
|
SecurityGraphAlert |
list_alerts_for_user |
Retrieves list of alerts for a user account |
end (datetime), start (datetime) |
|
SecurityGraphAlert |
list_related_alerts |
Retrieves list of alerts with a common entity |
end (datetime), start (datetime) |
Queries for Splunk
Data Environment identifier: Splunk
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
Alerts |
list_alerts |
Retrieves list of alerts |
end (datetime), start (datetime) |
|
Alerts |
list_alerts_for_dest_ip |
Retrieves list of alerts with a common destination IP Address |
end (datetime), ip_address (str), start (datetime) |
|
Alerts |
list_alerts_for_src_ip |
Retrieves list of alerts with a common source IP Address |
end (datetime), ip_address (str), start (datetime) |
|
Alerts |
list_alerts_for_user |
Retrieves list of alerts with a common username |
end (datetime), start (datetime), user (str) |
|
Alerts |
list_all_alerts |
Retrieves all configured alerts |
end (datetime), start (datetime) |
|
Authentication |
list_logon_failures |
All failed user logon events on any host |
end (datetime), start (datetime) |
|
Authentication |
list_logons_for_account |
All successful user logon events for account (all hosts) |
account_name (str), end (datetime), start (datetime) |
|
Authentication |
list_logons_for_host |
All logon events on a host |
end (datetime), host_name (str), start (datetime) |
|
Authentication |
list_logons_for_source_ip |
All successful user logon events for source IP (all hosts) |
end (datetime), ip_address (str), start (datetime) |
|
SplunkGeneral |
get_events_parameterized |
Generic parameterized query from index/source |
end (datetime), start (datetime) |
|
SplunkGeneral |
list_all_datatypes |
Summary of all events by index and sourcetype |
end (datetime), start (datetime) |
|
SplunkGeneral |
list_all_savedsearches |
Retrieves all saved searches |
end (datetime), start (datetime) |
|
audittrail |
list_all_audittrail |
Retrieves all audit trail logs |
end (datetime), start (datetime) |
Queries for Azure Resource Graph
Data Environment identifier: ResourceGraph
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
ResourceGraph |
list_detailed_virtual_machines |
Retrieves list of VMs with network details |
resources |
|
ResourceGraph |
list_public_ips |
Retrieves list of resources with public IP addresses |
resources |
|
ResourceGraph |
list_resources |
Retrieves list of resources |
resources |
|
ResourceGraph |
list_resources_by_api_version |
Retrieves list of resources for each API version |
resources |
|
ResourceGraph |
list_resources_by_type |
Retrieves list of resources by type |
resource_type (str) |
resources |
ResourceGraph |
list_virtual_machines |
Retrieves list of VM resources |
resources |
|
Sentinel |
get_sentinel_workspace_for_resource_id |
Retrieves Sentinel/Azure monitor workspace details by resource ID |
resource_id (str) |
resources |
Sentinel |
get_sentinel_workspace_for_workspace_id |
Retrieves Sentinel/Azure monitor workspace details by workspace ID |
workspace_id (str) |
resources |
Sentinel |
list_sentinel_workspaces_for_name |
Retrieves Sentinel/Azure monitor workspace(s) details by name and optionally resource group and/or subscription_id |
workspace_name (str) |
resources |
Queries for Sumologic
Data Environment identifier: Sumologic
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
SumologicGeneral |
list_all_datatypes |
Summary of all events by sourceCategory |
end (datetime), start (datetime) |
Queries for Local Data
Data Environment identifier: LocalData
QueryGroup |
Query |
Description |
Req-Params |
Table |
|---|---|---|---|---|
Azure |
list_all_signins_geo |
List all Azure AD logon events |
||
Network |
list_azure_network_flows_by_host |
List Azure Network flows by host name |
||
Network |
list_azure_network_flows_by_ip |
List Azure Network flows by IP address |
||
SecurityAlert |
list_alerts |
Retrieves list of alerts |
||
WindowsSecurity |
get_process_tree |
Get process tree for a process |
||
WindowsSecurity |
list_host_events |
List events failures on host |
||
WindowsSecurity |
list_host_logon_failures |
List logon failures on host |
||
WindowsSecurity |
list_host_logons |
List logons on host |
||
WindowsSecurity |
list_host_processes |
List processes on host |