Data Queries Reference ====================== Queries for Microsoft Sentinel ------------------------------ Data Environment identifier: MSSentinel ================== ================================ ================================================================================================================================== =============================================================================================================== =========================== QueryGroup Query Description Req-Params Table ================== ================================ ================================================================================================================================== =============================================================================================================== =========================== Azure get_vmcomputer_for_host Returns most recent VMComputer record for Host end (datetime), host_name (str), start (datetime) VMComputer Azure get_vmcomputer_for_ip Returns most recent VMComputer record for IPAddress end (datetime), ip_address (str), start (datetime) VMComputer Azure list_aad_signins_for_account Returns Azure AD Signins for Account end (datetime), start (datetime) SigninLogs Azure list_aad_signins_for_ip Returns Azure AD Signins for an IP Address end (datetime), ip_address_list (list), start (datetime) SigninLogs Azure list_all_signins_geo Gets Signin data used by morph charts end (datetime), start (datetime) SigninLogs Azure list_azure_activity_for_account Returns Azure Activity for Account account_name (str), end (datetime), start (datetime) AzureActivity Azure list_azure_activity_for_ip Returns Azure Activity for Caller IP Address(es) end (datetime), ip_address_list (list), start (datetime) AzureActivity Azure list_azure_activity_for_resource Returns Azure Activity for an Azure Resource ID end (datetime), resource_id (str), start (datetime) AzureActivity Azure list_storage_ops_for_hash Returns Azure Storage Operations for an MD5 file hash end (datetime), file_hash (str), start (datetime) StorageFileLogs Azure list_storage_ops_for_ip Returns Storage Operations for an IP Address end (datetime), ip_address (str), start (datetime) StorageFileLogs AzureNetwork all_network_connections_csl Returns all network connections for a time range (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog AzureNetwork az_net_analytics Returns all Azure Network Flow (NSG) Data for a given host end (datetime), start (datetime) AzureNetworkAnalytics_CL AzureNetwork dns_lookups_for_domain Returns DNS query events for a specified domain domain (str), end (datetime), start (datetime) DnsEvents AzureNetwork dns_lookups_for_ip Returns Dns query events that contain a resolved IP address end (datetime), ip_address (str), start (datetime) DnsEvents AzureNetwork dns_lookups_from_ip Returns Dns queries originating from a specified IP address end (datetime), ip_address (str), start (datetime) DnsEvents AzureNetwork get_heartbeat_for_host Returns latest OMS Heartbeat event for host. end (datetime), host_name (str), start (datetime) Heartbeat AzureNetwork get_heartbeat_for_ip Returns latest OMS Heartbeat event for ip address. end (datetime), ip_address (str), start (datetime) Heartbeat AzureNetwork get_host_for_ip Returns the most recent Azure NSG Interface event for an IP Address. end (datetime), ip_address (str), start (datetime) AzureNetworkAnalytics_CL AzureNetwork get_ips_for_host Returns the most recent Azure Network NSG Interface event for a host. end (datetime), host_name (str), start (datetime) AzureNetworkAnalytics_CL AzureNetwork host_network_connections_csl Returns network connections to and from a host (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog AzureNetwork hosts_by_ip_csl Returns hosts associated with a IP addresses (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog AzureNetwork ip_network_connections_csl Returns network connections to and from an IP address (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog AzureNetwork ips_by_host_csl Returns all IP addresses associated with a host (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog AzureNetwork list_azure_network_flows_by_host Returns Azure NSG flow events for a host. end (datetime), host_name (str), start (datetime) AzureNetworkAnalytics_CL AzureNetwork list_azure_network_flows_by_ip Returns Azure NSG flow events for an IP Address. end (datetime), ip_address_list (list), start (datetime) AzureNetworkAnalytics_CL AzureNetwork network_connections_to_url Returns connections to a URL or domain (CommonSecurityLog) end (datetime), start (datetime), url (str) CommonSecurityLog AzureSentinel get_bookmark_by_id Returns a single Bookmark by BookmarkId bookmark_id (str), end (datetime), start (datetime) HuntingBookmark AzureSentinel get_bookmark_by_name Retrieves one or more Bookmarks by Bookmark Name bookmark_name (str), end (datetime), start (datetime) HuntingBookmark AzureSentinel get_dynamic_summary_by_id Returns a Dynamic Summary by SummaryId end (datetime), start (datetime), summary_id (str) DynamicSummary AzureSentinel get_dynamic_summary_by_name Returns a Dynamic Summary by Name end (datetime), start (datetime), summary_name (str) DynamicSummary AzureSentinel list_bookmarks Retrieves list of bookmarks for a time range end (datetime), start (datetime) HuntingBookmark AzureSentinel list_bookmarks_for_entity Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier end (datetime), start (datetime) HuntingBookmark AzureSentinel list_bookmarks_for_tags Returns Bookmark by one or more Tags bookmark_tags (list), end (datetime), start (datetime) HuntingBookmark AzureSentinel list_dynamic_summaries Returns all Dynamic Summaries by time range end (datetime), start (datetime) DynamicSummary Heartbeat get_heartbeat_for_host Returns latest OMS Heartbeat event for host. end (datetime), host_name (str), start (datetime) Heartbeat Heartbeat get_heartbeat_for_ip Returns latest OMS Heartbeat event for ip address. end (datetime), ip_address (str), start (datetime) Heartbeat Heartbeat get_info_by_hostname Deprecated - use 'get_heartbeat_for_host' end (datetime), host_name (str), start (datetime) Heartbeat Heartbeat get_info_by_ipaddress Deprecated - use 'get_heartbeat_for_ip' end (datetime), ip_address (str), start (datetime) Heartbeat IdentityOnPrem logons_for_account Return all Active Directory on-premises user logons for user name account_name (str), end (datetime), start (datetime) IdentityLogonEvents IdentityOnPrem logons_for_host Return all Active Directory on-premises user logons for host/device name end (datetime), host_name (str), start (datetime) IdentityLogonEvents IdentityOnPrem logons_for_ip Return all Active Directory on-premises user logons for ip address end (datetime), ip_address (str), start (datetime) IdentityLogonEvents LinuxAudit auditd_all Extract all audit messages grouped by mssg_id end (datetime), start (datetime) AuditLog_CL LinuxSyslog all_syslog Returns all syslog activity for a host end (datetime), start (datetime) Syslog LinuxSyslog cron_activity Returns all cron activity for a host end (datetime), start (datetime) Syslog LinuxSyslog list_account_logon_failures All failed user logon events for account name account_name (str), end (datetime), start (datetime) Syslog LinuxSyslog list_host_logon_failures Failed user logon events on a host end (datetime), host_name (str), start (datetime) Syslog LinuxSyslog list_ip_logon_failures Failed user logon events from an IP address end (datetime), ip_address (str), start (datetime) Syslog LinuxSyslog list_logon_failures All failed user logon events on any host end (datetime), start (datetime) Syslog LinuxSyslog list_logons_for_account Successful user logon events for account name (all hosts) account_name (str), end (datetime), start (datetime) Syslog LinuxSyslog list_logons_for_host All logon events on a host end (datetime), host_name (str), start (datetime) Syslog LinuxSyslog list_logons_for_source_ip Successful user logon events for source IP (all hosts) end (datetime), ip_address (str), start (datetime) Syslog LinuxSyslog notable_events Returns all 'alert' and 'crit' syslog activity for a host end (datetime), start (datetime) Syslog LinuxSyslog squid_activity Returns all squid proxy activity for a host end (datetime), host_name (str), start (datetime) Syslog LinuxSyslog sudo_activity Returns all sudo activity for a host and account name end (datetime), start (datetime) Syslog LinuxSyslog summarize_events Returns summarized syslog activity for a host end (datetime), start (datetime) Syslog LinuxSyslog sysmon_process_events Sysmon Process Events on host end (datetime), host_name (str), start (datetime) - LinuxSyslog user_group_activity Returns all user/group additions, deletions, and modifications for a host end (datetime), start (datetime) Syslog LinuxSyslog user_logon User logon events on a host end (datetime), host_name (str), start (datetime) Syslog M365D application_alerts Lists alerts associated with a cloud app or OAuth app app_name (str), end (datetime), start (datetime) AlertInfo M365D host_alerts Lists alerts associated with host/device name end (datetime), host_name (str), start (datetime) AlertInfo M365D host_connections Returns connections by a specified hostname end (datetime), host_name (str), start (datetime) DeviceNetworkEvents M365D ip_alerts Lists alerts associated with a specified remote IP end (datetime), ip_address (str), start (datetime) AlertInfo M365D ip_connections Returns network connections associated with a specified remote IP end (datetime), ip_address (str), start (datetime) DeviceNetworkEvents M365D list_alerts Retrieves list of alerts end (datetime), start (datetime) AlertInfo M365D list_alerts_with_evidence Retrieves list of alerts with their evidence end (datetime), start (datetime) AlertInfo M365D list_connections Retrieves list of all network connections end (datetime), start (datetime) DeviceNetworkEvents M365D list_file_events_for_filename Lists all file events by filename end (datetime), file_name (str), start (datetime) DeviceFileEvents M365D list_file_events_for_hash Lists all file events by hash end (datetime), file_hash (str), start (datetime) DeviceFileEvents M365D list_file_events_for_host Lists all file events for a host/device end (datetime), start (datetime) DeviceFileEvents M365D list_file_events_for_path Lists all file events from files in a certain path end (datetime), path (str), start (datetime) DeviceFileEvents M365D list_host_processes Return all process creations for a host for the specified time range end (datetime), host_name (str), start (datetime) DeviceProcessEvents M365D mail_message_alerts Lists alerts associated with a specified mail message end (datetime), message_id (str), start (datetime) AlertInfo M365D mailbox_alerts Lists alerts associated with a specified mailbox end (datetime), mailbox (str), start (datetime) AlertInfo M365D process_alerts Lists alerts associated with a specified process end (datetime), file_name (str), start (datetime) AlertInfo M365D process_cmd_line Lists all processes with a command line containing a list of strings (all hosts) cmd_line (list), end (datetime), start (datetime) DeviceProcessEvents M365D process_creations Return all processes with matching name or hash (all hosts) end (datetime), process_identifier (str), start (datetime) DeviceProcessEvents M365D process_paths Return all processes with a matching path (part path) (all hosts) end (datetime), file_path (str), start (datetime) DeviceProcessEvents M365D protocol_connections Returns connections associated with a specified protocol (port number) end (datetime), protocol (str), start (datetime) DeviceNetworkEvents M365D registry_key_alerts Lists alerts associated with a specified registry key end (datetime), key_name (str), start (datetime) AlertInfo M365D sha1_alerts Lists alerts associated with a specified SHA1 hash end (datetime), file_hash (str), start (datetime) AlertInfo M365D sha256_alerts Lists alerts associated with a specified SHA256 hash end (datetime), file_hash (str), start (datetime) AlertInfo M365D url_alerts Lists alerts associated with a specified URL end (datetime), start (datetime), url (str) AlertInfo M365D url_connections Returns connections associated with a specified URL end (datetime), start (datetime), url (str) DeviceNetworkEvents M365D user_alerts Lists alerts associated with a specified user account_name (str), end (datetime), start (datetime) AlertInfo M365D user_files Return all files created by a user account_name (str), end (datetime), start (datetime) - M365D user_logons Return all user logons for user name account_name (str), end (datetime), start (datetime) - M365D user_network Return all network connections associated with a user account_name (str), end (datetime), start (datetime) - M365D user_processes Return all processes created by a user account_name (str), end (datetime), start (datetime) - M365DHunting accessibility_persistence This query looks for persistence or privilege escalation done using Windows Accessibility features. - M365DHunting av_sites Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites - M365DHunting b64_pe Finding base64 encoded PE files header seen in the command line parameters - M365DHunting brute_force Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. - M365DHunting cve_2018_1000006l Looks for CVE-2018-1000006 exploitation - M365DHunting cve_2018_1111 Looks for CVE-2018-1111 exploitation - M365DHunting cve_2018_4878 This query checks for specific processes and domain TLD used in the CVE-2018-4878 - M365DHunting doc_with_link Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. - M365DHunting dropbox_link Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. - M365DHunting email_link Look for links opened from mail apps – if a detection occurred right afterwards - M365DHunting email_smartscreen Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning - M365DHunting malware_recycle Finding attackers hiding malware in the recycle bin. - M365DHunting network_scans Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process - M365DHunting powershell_downloads Finds PowerShell execution events that could involve a download. - M365DHunting service_account_powershell Service Accounts Performing Remote PowerShell - M365DHunting smartscreen_ignored Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. - M365DHunting smb_discovery Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. - M365DHunting tor Looks for Tor client, or for a common Tor plugin called Meek. - M365DHunting uncommon_powershell Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. host_name (str), timestamp (str) - M365DHunting user_enumeration The query finds attempts to list users or groups using Net commands - MDEHunting accessibility_persistence This query looks for persistence or privilege escalation done using Windows Accessibility features. - MDEHunting av_sites Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites - MDEHunting b64_pe Finding base64 encoded PE files header seen in the command line parameters - MDEHunting brute_force Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. - MDEHunting cve_2018_1000006l Looks for CVE-2018-1000006 exploitation - MDEHunting cve_2018_1111 Looks for CVE-2018-1111 exploitation - MDEHunting cve_2018_4878 This query checks for specific processes and domain TLD used in the CVE-2018-4878 - MDEHunting doc_with_link Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. - MDEHunting dropbox_link Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. - MDEHunting email_link Look for links opened from mail apps – if a detection occurred right afterwards - MDEHunting email_smartscreen Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning - MDEHunting malware_recycle Finding attackers hiding malware in the recycle bin. - MDEHunting network_scans Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process - MDEHunting powershell_downloads Finds PowerShell execution events that could involve a download. - MDEHunting service_account_powershell Service Accounts Performing Remote PowerShell - MDEHunting smartscreen_ignored Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. - MDEHunting smb_discovery Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. - MDEHunting tor Looks for Tor client, or for a common Tor plugin called Meek. - MDEHunting uncommon_powershell Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. host_name (str), timestamp (str) - MDEHunting user_enumeration The query finds attempts to list users or groups using Net commands - MSSentinel get_bookmark_by_id Returns a single Bookmark by BookmarkId bookmark_id (str), end (datetime), start (datetime) HuntingBookmark MSSentinel get_bookmark_by_name Retrieves one or more Bookmarks by Bookmark Name bookmark_name (str), end (datetime), start (datetime) HuntingBookmark MSSentinel get_dynamic_summary_by_id Returns a Dynamic Summary by SummaryId end (datetime), start (datetime), summary_id (str) DynamicSummary MSSentinel get_dynamic_summary_by_name Returns a Dynamic Summary by Name end (datetime), start (datetime), summary_name (str) DynamicSummary MSSentinel list_bookmarks Retrieves list of bookmarks for a time range end (datetime), start (datetime) HuntingBookmark MSSentinel list_bookmarks_for_entity Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier end (datetime), start (datetime) HuntingBookmark MSSentinel list_bookmarks_for_tags Returns Bookmark by one or more Tags bookmark_tags (list), end (datetime), start (datetime) HuntingBookmark MSSentinel list_dynamic_summaries Returns all Dynamic Summaries by time range end (datetime), start (datetime) DynamicSummary MultiDataSource get_timeseries_anomalies Time Series filtered anomalies using native KQL analysis (series_decompose_anomalies) end (datetime), start (datetime), table (str) na MultiDataSource get_timeseries_data Generic query to return TimeSeriesData for use with native KQL time series functions end (datetime), start (datetime), table (str) na MultiDataSource get_timeseries_decompose Generic Time Series decomposition using native KQL analysis (series_decompose) end (datetime), start (datetime), table (str) na MultiDataSource plot_timeseries_datawithbaseline Plot of Time Series data using native KQL analysis and plot rendering (KQLMagic only) end (datetime), start (datetime), table (str) na MultiDataSource plot_timeseries_scoreanomolies Plot Time Series anomaly score using native KQL render (KQLMagic only) end (datetime), start (datetime), table (str) na Network all_network_connections_csl Returns all network connections for a time range (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog Network get_heartbeat_for_host Returns latest OMS Heartbeat event for host. end (datetime), host_name (str), start (datetime) Heartbeat Network get_heartbeat_for_ip Returns latest OMS Heartbeat event for ip address. end (datetime), ip_address (str), start (datetime) Heartbeat Network get_host_for_ip Returns the most recent Azure NSG Interface event for an IP Address. end (datetime), ip_address (str), start (datetime) AzureNetworkAnalytics_CL Network get_ips_for_host Returns the most recent Azure Network NSG Interface event for a host. end (datetime), host_name (str), start (datetime) AzureNetworkAnalytics_CL Network host_network_connections_csl Returns network connections to and from a host (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog Network hosts_by_ip_csl Returns hosts associated with a IP addresses (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog Network ip_network_connections_csl Returns network connections to and from an IP address (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog Network ips_by_host_csl Returns all IP addresses associated with a host (CommonSecurityLog) end (datetime), start (datetime) CommonSecurityLog Network list_azure_network_flows_by_host Returns Azure NSG flow events for a host. end (datetime), host_name (str), start (datetime) AzureNetworkAnalytics_CL Network list_azure_network_flows_by_ip Returns Azure NSG flow events for an IP Address. end (datetime), ip_address_list (list), start (datetime) AzureNetworkAnalytics_CL Network network_connections_to_url Returns connections to a URL or domain (CommonSecurityLog) end (datetime), start (datetime), url (str) CommonSecurityLog Office365 list_activity_for_account Lists Office/O365 Activity for Account account_name (str), end (datetime), start (datetime) OfficeActivity Office365 list_activity_for_ip Lists Office/O365 Activity for Caller IP Address(es) end (datetime), ip_address_list (list), start (datetime) OfficeActivity Office365 list_activity_for_resource Lists Office/O365 Activity for a Resource (OfficeObjectId) end (datetime), resource_id (str), start (datetime) OfficeActivity SecurityAlert get_alert Retrieves a single alert by SystemAlertId system_alert_id (str) SecurityAlert SecurityAlert list_alerts Returns security alerts for a given time range end (datetime), start (datetime) SecurityAlert SecurityAlert list_alerts_counts Returns summary count of alerts by type end (datetime), start (datetime) SecurityAlert SecurityAlert list_alerts_for_ip Returns alerts with the specified IP Address or addresses. end (datetime), source_ip_list (str), start (datetime) SecurityAlert SecurityAlert list_related_alerts Returns alerts with a host, account or process entity end (datetime), start (datetime) SecurityAlert ThreatIntelligence list_indicators Returns list of all current indicators. end (datetime), start (datetime) ThreatIntelligenceIndicator ThreatIntelligence list_indicators_by_domain Returns list of indicators by domain domain_list (list), end (datetime), start (datetime) ThreatIntelligenceIndicator ThreatIntelligence list_indicators_by_email Returns list of indicators by email address end (datetime), observables (list), start (datetime) ThreatIntelligenceIndicator ThreatIntelligence list_indicators_by_filepath Returns list of indicators by file path end (datetime), observables (list), start (datetime) ThreatIntelligenceIndicator ThreatIntelligence list_indicators_by_hash Returns list of indicators by file hash end (datetime), file_hash_list (list), start (datetime) ThreatIntelligenceIndicator ThreatIntelligence list_indicators_by_ip Returns list of indicators by IP Address end (datetime), ip_address_list (list), start (datetime) ThreatIntelligenceIndicator ThreatIntelligence list_indicators_by_url Returns list of indicators by URL end (datetime), start (datetime), url_list (list) ThreatIntelligenceIndicator WindowsSecurity account_change_events Returns events related to account changes end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity get_host_logon Returns the logon event for the logon session id on a host end (datetime), host_name (str), logon_session_id (str), start (datetime) SecurityEvent WindowsSecurity get_parent_process Returns the parent process of process (process id, session id and host name) end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime) SecurityEvent WindowsSecurity get_process_tree Returns the process tree for process id, session id and host name. end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime) SecurityEvent WindowsSecurity list_all_logons_by_host Returns all failed or successful logons on a host end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_events Retrieves list of all events end (datetime), start (datetime) SecurityEvent WindowsSecurity list_events_by_id Returns list of events on a host by EventID end (datetime), event_list (list), start (datetime) SecurityEvent WindowsSecurity list_host_events Returns list of all events on a host end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_host_events_by_id Returns list of specified event IDs on a host end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_host_logon_failures Returns the logon failure events on a host for time range end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_host_logons Returns the logon events on a host for time range end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_host_processes Returns list of processes on a host for a time range end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_hosts_matching_commandline Returns processes on hosts with matching command line commandline (str), end (datetime), process_name (str), start (datetime) SecurityEvent WindowsSecurity list_logon_attempts_by_account Retrieves all logon events for an account (all hosts) account_name (str), end (datetime), start (datetime) SecurityEvent WindowsSecurity list_logon_attempts_by_ip Returns the logon events for an IP Address (all hosts) end (datetime), ip_address (str), start (datetime) SecurityEvent WindowsSecurity list_logon_failures_by_account Returns the logon failure events for an account (all hosts) account_name (str), end (datetime), start (datetime) SecurityEvent WindowsSecurity list_logons_by_account Returns the logon success events for an account (all hosts) account_name (str), end (datetime), start (datetime) SecurityEvent WindowsSecurity list_matching_processes Returns list of processes matching process name (all hosts) end (datetime), process_name (str), start (datetime) SecurityEvent WindowsSecurity list_other_events Returns list of events other than logon and process on a host end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity list_processes_in_session Returns all processes on the host for a logon session end (datetime), host_name (str), logon_session_id (str), start (datetime) SecurityEvent WindowsSecurity notable_events Return other significant Windows events not returned in other queries end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity schdld_tasks_and_services Returns scheduled tasks and services events (4698, 4700, 4697, 4702) end (datetime), host_name (str), start (datetime) SecurityEvent WindowsSecurity summarize_events Summarize the events on a host by event type end (datetime), host_name (str), start (datetime) SecurityEvent ================== ================================ ================================================================================================================================== =============================================================================================================== =========================== Queries for Microsoft 365 Defender ---------------------------------- Data Environment identifier: M365D ============== ============================= ================================================================================================================================== ========================================================== =================== QueryGroup Query Description Req-Params Table ============== ============================= ================================================================================================================================== ========================================================== =================== IdentityOnPrem logons_for_account Return all Active Directory on-premises user logons for user name account_name (str), end (datetime), start (datetime) IdentityLogonEvents IdentityOnPrem logons_for_host Return all Active Directory on-premises user logons for host/device name end (datetime), host_name (str), start (datetime) IdentityLogonEvents IdentityOnPrem logons_for_ip Return all Active Directory on-premises user logons for ip address end (datetime), ip_address (str), start (datetime) IdentityLogonEvents M365D application_alerts Lists alerts associated with a cloud app or OAuth app app_name (str), end (datetime), start (datetime) AlertInfo M365D host_alerts Lists alerts associated with host/device name end (datetime), host_name (str), start (datetime) AlertInfo M365D host_connections Returns connections by a specified hostname end (datetime), host_name (str), start (datetime) DeviceNetworkEvents M365D ip_alerts Lists alerts associated with a specified remote IP end (datetime), ip_address (str), start (datetime) AlertInfo M365D ip_connections Returns network connections associated with a specified remote IP end (datetime), ip_address (str), start (datetime) DeviceNetworkEvents M365D list_alerts Retrieves list of alerts end (datetime), start (datetime) AlertInfo M365D list_alerts_with_evidence Retrieves list of alerts with their evidence end (datetime), start (datetime) AlertInfo M365D list_connections Retrieves list of all network connections end (datetime), start (datetime) DeviceNetworkEvents M365D list_file_events_for_filename Lists all file events by filename end (datetime), file_name (str), start (datetime) DeviceFileEvents M365D list_file_events_for_hash Lists all file events by hash end (datetime), file_hash (str), start (datetime) DeviceFileEvents M365D list_file_events_for_host Lists all file events for a host/device end (datetime), start (datetime) DeviceFileEvents M365D list_file_events_for_path Lists all file events from files in a certain path end (datetime), path (str), start (datetime) DeviceFileEvents M365D list_host_processes Return all process creations for a host for the specified time range end (datetime), host_name (str), start (datetime) DeviceProcessEvents M365D mail_message_alerts Lists alerts associated with a specified mail message end (datetime), message_id (str), start (datetime) AlertInfo M365D mailbox_alerts Lists alerts associated with a specified mailbox end (datetime), mailbox (str), start (datetime) AlertInfo M365D process_alerts Lists alerts associated with a specified process end (datetime), file_name (str), start (datetime) AlertInfo M365D process_cmd_line Lists all processes with a command line containing a list of strings (all hosts) cmd_line (list), end (datetime), start (datetime) DeviceProcessEvents M365D process_creations Return all processes with matching name or hash (all hosts) end (datetime), process_identifier (str), start (datetime) DeviceProcessEvents M365D process_paths Return all processes with a matching path (part path) (all hosts) end (datetime), file_path (str), start (datetime) DeviceProcessEvents M365D protocol_connections Returns connections associated with a specified protocol (port number) end (datetime), protocol (str), start (datetime) DeviceNetworkEvents M365D registry_key_alerts Lists alerts associated with a specified registry key end (datetime), key_name (str), start (datetime) AlertInfo M365D sha1_alerts Lists alerts associated with a specified SHA1 hash end (datetime), file_hash (str), start (datetime) AlertInfo M365D sha256_alerts Lists alerts associated with a specified SHA256 hash end (datetime), file_hash (str), start (datetime) AlertInfo M365D url_alerts Lists alerts associated with a specified URL end (datetime), start (datetime), url (str) AlertInfo M365D url_connections Returns connections associated with a specified URL end (datetime), start (datetime), url (str) DeviceNetworkEvents M365D user_alerts Lists alerts associated with a specified user account_name (str), end (datetime), start (datetime) AlertInfo M365D user_files Return all files created by a user account_name (str), end (datetime), start (datetime) - M365D user_logons Return all user logons for user name account_name (str), end (datetime), start (datetime) - M365D user_network Return all network connections associated with a user account_name (str), end (datetime), start (datetime) - M365D user_processes Return all processes created by a user account_name (str), end (datetime), start (datetime) - M365DHunting accessibility_persistence This query looks for persistence or privilege escalation done using Windows Accessibility features. - M365DHunting av_sites Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites - M365DHunting b64_pe Finding base64 encoded PE files header seen in the command line parameters - M365DHunting brute_force Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. - M365DHunting cve_2018_1000006l Looks for CVE-2018-1000006 exploitation - M365DHunting cve_2018_1111 Looks for CVE-2018-1111 exploitation - M365DHunting cve_2018_4878 This query checks for specific processes and domain TLD used in the CVE-2018-4878 - M365DHunting doc_with_link Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. - M365DHunting dropbox_link Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. - M365DHunting email_link Look for links opened from mail apps – if a detection occurred right afterwards - M365DHunting email_smartscreen Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning - M365DHunting malware_recycle Finding attackers hiding malware in the recycle bin. - M365DHunting network_scans Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process - M365DHunting powershell_downloads Finds PowerShell execution events that could involve a download. - M365DHunting service_account_powershell Service Accounts Performing Remote PowerShell - M365DHunting smartscreen_ignored Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. - M365DHunting smb_discovery Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. - M365DHunting tor Looks for Tor client, or for a common Tor plugin called Meek. - M365DHunting uncommon_powershell Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. host_name (str), timestamp (str) - M365DHunting user_enumeration The query finds attempts to list users or groups using Net commands - MDEHunting accessibility_persistence This query looks for persistence or privilege escalation done using Windows Accessibility features. - MDEHunting av_sites Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites - MDEHunting b64_pe Finding base64 encoded PE files header seen in the command line parameters - MDEHunting brute_force Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. - MDEHunting cve_2018_1000006l Looks for CVE-2018-1000006 exploitation - MDEHunting cve_2018_1111 Looks for CVE-2018-1111 exploitation - MDEHunting cve_2018_4878 This query checks for specific processes and domain TLD used in the CVE-2018-4878 - MDEHunting doc_with_link Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. - MDEHunting dropbox_link Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. - MDEHunting email_link Look for links opened from mail apps – if a detection occurred right afterwards - MDEHunting email_smartscreen Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning - MDEHunting malware_recycle Finding attackers hiding malware in the recycle bin. - MDEHunting network_scans Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process - MDEHunting powershell_downloads Finds PowerShell execution events that could involve a download. - MDEHunting service_account_powershell Service Accounts Performing Remote PowerShell - MDEHunting smartscreen_ignored Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. - MDEHunting smb_discovery Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. - MDEHunting tor Looks for Tor client, or for a common Tor plugin called Meek. - MDEHunting uncommon_powershell Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. host_name (str), timestamp (str) - MDEHunting user_enumeration The query finds attempts to list users or groups using Net commands - ============== ============================= ================================================================================================================================== ========================================================== =================== Queries for Microsoft Graph --------------------------- Data Environment identifier: SecurityGraph ================== ==================== ==================================================== ================================================== ======= QueryGroup Query Description Req-Params Table ================== ==================== ==================================================== ================================================== ======= SecurityGraphAlert get_alert Retrieves a single alert by AlertId alert_id (str) - SecurityGraphAlert list_alerts Retrieves list of alerts end (datetime), start (datetime) - SecurityGraphAlert list_alerts_for_file Retrieves list of alerts for file name, path or hash end (datetime), start (datetime) - SecurityGraphAlert list_alerts_for_host Retrieves list of alerts for a hostname or FQDN end (datetime), host_name (str), start (datetime) - SecurityGraphAlert list_alerts_for_ip Retrieves list of alerts for a IP Address end (datetime), ip_address (str), start (datetime) - SecurityGraphAlert list_alerts_for_user Retrieves list of alerts for a user account end (datetime), start (datetime) - SecurityGraphAlert list_related_alerts Retrieves list of alerts with a common entity end (datetime), start (datetime) - ================== ==================== ==================================================== ================================================== ======= Queries for Splunk ------------------ Data Environment identifier: Splunk ============== ========================= ============================================================= ==================================================== ======= QueryGroup Query Description Req-Params Table ============== ========================= ============================================================= ==================================================== ======= Alerts list_alerts Retrieves list of alerts end (datetime), start (datetime) - Alerts list_alerts_for_dest_ip Retrieves list of alerts with a common destination IP Address end (datetime), ip_address (str), start (datetime) - Alerts list_alerts_for_src_ip Retrieves list of alerts with a common source IP Address end (datetime), ip_address (str), start (datetime) - Alerts list_alerts_for_user Retrieves list of alerts with a common username end (datetime), start (datetime), user (str) - Alerts list_all_alerts Retrieves all configured alerts end (datetime), start (datetime) - Authentication list_logon_failures All failed user logon events on any host end (datetime), start (datetime) - Authentication list_logons_for_account All successful user logon events for account (all hosts) account_name (str), end (datetime), start (datetime) - Authentication list_logons_for_host All logon events on a host end (datetime), host_name (str), start (datetime) - Authentication list_logons_for_source_ip All successful user logon events for source IP (all hosts) end (datetime), ip_address (str), start (datetime) - SplunkGeneral get_events_parameterized Generic parameterized query from index/source end (datetime), start (datetime) - SplunkGeneral list_all_datatypes Summary of all events by index and sourcetype end (datetime), start (datetime) - SplunkGeneral list_all_savedsearches Retrieves all saved searches end (datetime), start (datetime) - audittrail list_all_audittrail Retrieves all audit trail logs end (datetime), start (datetime) - ============== ========================= ============================================================= ==================================================== ======= Queries for Azure Resource Graph -------------------------------- Data Environment identifier: ResourceGraph ============= ======================================= ================================================================================================================== ==================== ========= QueryGroup Query Description Req-Params Table ============= ======================================= ================================================================================================================== ==================== ========= ResourceGraph list_detailed_virtual_machines Retrieves list of VMs with network details resources ResourceGraph list_public_ips Retrieves list of resources with public IP addresses resources ResourceGraph list_resources Retrieves list of resources resources ResourceGraph list_resources_by_api_version Retrieves list of resources for each API version resources ResourceGraph list_resources_by_type Retrieves list of resources by type resource_type (str) resources ResourceGraph list_virtual_machines Retrieves list of VM resources resources Sentinel get_sentinel_workspace_for_resource_id Retrieves Sentinel/Azure monitor workspace details by resource ID resource_id (str) resources Sentinel get_sentinel_workspace_for_workspace_id Retrieves Sentinel/Azure monitor workspace details by workspace ID workspace_id (str) resources Sentinel list_sentinel_workspaces_for_name Retrieves Sentinel/Azure monitor workspace(s) details by name and optionally resource group and/or subscription_id workspace_name (str) resources ============= ======================================= ================================================================================================================== ==================== ========= Queries for Sumologic --------------------- Data Environment identifier: Sumologic ================ ================== ======================================= ================================ ======= QueryGroup Query Description Req-Params Table ================ ================== ======================================= ================================ ======= SumologicGeneral list_all_datatypes Summary of all events by sourceCategory end (datetime), start (datetime) - ================ ================== ======================================= ================================ ======= Queries for Local Data ---------------------- Data Environment identifier: LocalData =============== ================================ ====================================== ============ ======= QueryGroup Query Description Req-Params Table =============== ================================ ====================================== ============ ======= Azure list_all_signins_geo List all Azure AD logon events - Network list_azure_network_flows_by_host List Azure Network flows by host name - Network list_azure_network_flows_by_ip List Azure Network flows by IP address - SecurityAlert list_alerts Retrieves list of alerts - WindowsSecurity get_process_tree Get process tree for a process - WindowsSecurity list_host_events List events failures on host - WindowsSecurity list_host_logon_failures List logon failures on host - WindowsSecurity list_host_logons List logons on host - WindowsSecurity list_host_processes List processes on host - =============== ================================ ====================================== ============ =======