Exposure Management Defender For Office 365
Query
//Exposure Management + Defender for Office 365
//https://www.linkedin.com/posts/activity-7178261918795649024-cah8/
//Custom DefenderXDR detection rule for critical identities marked by exposure management clicking on malicious email link. This would triggered the isolation of the user account and devices impacted to minimize lateral movement.
//KQL Detection Code:
let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn)
| distinct AccountUPN;
AlertInfo
| where Title == "A potentially malicious URL click was detected"
| join AlertEvidence on AlertId
| join EmailEvents on NetworkMessageId
| where RecipientEmailAddress has_any (CriticalIdentities)
// MITRE ATT&CK Mapping
// Based on the analysis, the following MITRE ATT&CK techniques are relevant:
// T1071.001 - Application Layer Protocol: Web Protocols
// The detection of a potentially malicious URL click involves monitoring web protocols, which falls under this technique.
// T1566.002 - Phishing: Spearphishing Link
// The alert for a potentially malicious URL click is indicative of spearphishing attempts, where attackers use malicious links to compromise targets.
// T1078 - Valid Accounts
// The focus on critical identities and their email addresses suggests monitoring for the use of valid accounts, which is relevant to this technique.
// T1087.002 - Account Discovery: Domain Account
// The query’s identification of critical identities involves discovering domain accounts, aligning with this technique.Explanation
This query is designed to detect and respond to security threats involving critical user identities within an organization. Here's a simplified breakdown:
-
Purpose: The query aims to identify critical user accounts that have clicked on potentially malicious email links. This is part of a broader security strategy to protect against threats like phishing and unauthorized access.
-
Process:
- It first identifies "critical identities" from a dataset called
ExposureGraphNodes. These are user accounts marked as critical based on their risk level. - It then checks for alerts indicating that a potentially malicious URL was clicked, specifically focusing on emails sent to these critical identities.
- If such an event is detected, it suggests isolating the affected user accounts and devices to prevent further security breaches.
- It first identifies "critical identities" from a dataset called
-
Security Techniques:
- The query aligns with several MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
- T1071.001: Monitoring web protocols to detect malicious URL clicks.
- T1566.002: Identifying spearphishing attempts through malicious links.
- T1078: Monitoring the use of valid accounts, especially those deemed critical.
- T1087.002: Discovering domain accounts to identify critical identities.
- The query aligns with several MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
In summary, this query helps in early detection and containment of security threats by focusing on high-risk user accounts and their interactions with potentially harmful emails.
Details

Steven Lim
Released: August 5, 2024
Tables
ExposureGraphNodesAlertInfoAlertEvidenceEmailEvents
Keywords
ExposureManagementDefenderOfficeDevicesUserEmailAccountAlertIdentity
Operators
letset_has_elementwhereisnotnulland<extendtostringdistinct==joinonhas_any