Defender XDR Advanced Hunting All In One UPN Search
Query
// DefenderXDR Advanced Hunting All-In-One UPN Search
// https://www.linkedin.com/pulse/defenderxdr-advanced-hunting-all-in-one-upn-search-steven-lim-zdlic/
// This KQL query searches across these DefenderXDR log tables for the UPN variable that is defined at the start:
// AlertEvidence, BehaviorEntities, BehaviorInfo, AADSignInEventsBeta, IdentityInfo, IdentityLogonEvents, UrlClickEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, DeviceRegistryEvents, CloudAppEvents, EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, CloudAuditEvents, ExposureGraphNodes
let upn = "[email protected]"; // Enter Your Search UPN
search in (AlertEvidence, BehaviorEntities, BehaviorInfo, AADSignInEventsBeta,
IdentityInfo, IdentityLogonEvents, UrlClickEvents, DeviceEvents, DeviceFileEvents,
DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents,
DeviceRegistryEvents, CloudAppEvents, EmailAttachmentInfo, EmailEvents,
EmailPostDeliveryEvents, CloudAuditEvents, ExposureGraphNodes)
Timestamp between (ago(1d) .. now())
and (
// AlertEvidence BehaviorEntities BehaviorInfo DeviceProcessEvents
// AADSignInEventsBeta IdentityInfo IdentityLogonEvents UrlClickEvents
AccountUpn == upn
// DeviceEvents DeviceFileEvents DeviceImageLoadEvents DeviceLogonEvents
// DeviceNetworkEvents DeviceProcessEvents DeviceRegistryEvents
or InitiatingProcessAccountUpn == upn
// CloudAppEvents
or tostring(RawEventData.UserId) == upn
// EmailAttachmentInfo EmailEvents EmailPostDeliveryEvents
or SenderFromAddress == upn
or RecipientEmailAddress == upn
// CloudAuditEvents
or RawEventData contains upn
//ExposureGraphNodes
or NodeProperties.rawData contains upn
)
// MITRE ATT&CK Mapping
// The query can be associated with several MITRE ATT&CK techniques based on the data sources and fields being queried:
// Credential Access:
// T1078: Valid Accounts - Searching for AccountUpn and InitiatingProcessAccountUpn can help detect unauthorized use of valid accounts.
// Initial Access:
// T1071: Application Layer Protocol - UrlClickEvents and EmailEvents can be used to detect phishing attempts or malicious links.
// Execution:
// T1059: Command and Scripting Interpreter - DeviceProcessEvents can help detect suspicious script execution.
// Persistence:
// T1078: Valid Accounts - Repeated logon events (DeviceLogonEvents) can indicate persistence mechanisms.
// Privilege Escalation:
// T1055: Process Injection - DeviceProcessEvents can be used to detect process injection techniques.
// Defense Evasion:
// T1070: Indicator Removal on Host - DeviceRegistryEvents can help detect attempts to modify registry keys to evade detection.
// Discovery:
// T1083: File and Directory Discovery - DeviceFileEvents can be used to detect file and directory discovery activities.
// Lateral Movement:
// T1021: Remote Services - DeviceNetworkEvents can help detect lateral movement through remote services.
// Collection:
// T1114: Email Collection - EmailEvents and EmailAttachmentInfo can be used to detect email collection activities.
// Exfiltration:
// T1041: Exfiltration Over C2 Channel - CloudAppEvents can help detect data exfiltration over cloud applications.
// Impact:
// T1486: Data Encrypted for Impact - DeviceFileEvents can help detect ransomware activities.Explanation
This KQL query is designed to search for a specific User Principal Name (UPN), "[email protected]", across various DefenderXDR log tables. The query looks for any activity related to this UPN within the past day. It checks multiple fields across different tables to find matches, such as account UPNs, email addresses, and raw event data.
The query is associated with various MITRE ATT&CK techniques, indicating its potential use in detecting different types of cybersecurity threats, such as unauthorized account use, phishing attempts, script execution, persistence mechanisms, process injection, registry modifications, file discovery, lateral movement, email collection, data exfiltration, and ransomware activities.
In simple terms, this query helps identify and analyze security-related activities involving a specific user across multiple data sources, providing insights into potential security incidents or threats.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators