Query Details

Exposure Management Defender For Office 365

Query

//Exposure Management + Defender for Office 365
//https://www.linkedin.com/posts/activity-7178261918795649024-cah8/

//Custom DefenderXDR detection rule for critical identities marked by exposure management clicking on malicious email link. This would triggered the isolation of the user account and devices impacted to minimize lateral movement.

//KQL Detection Code:

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn)
| distinct AccountUPN;
AlertInfo
| where Title == "A potentially malicious URL click was detected"
| join AlertEvidence on AlertId
| join EmailEvents on NetworkMessageId
| where RecipientEmailAddress has_any (CriticalIdentities)

// MITRE ATT&CK Mapping

// Based on the analysis, the following MITRE ATT&CK techniques are relevant:

// T1071.001 - Application Layer Protocol: Web Protocols
// The detection of a potentially malicious URL click involves monitoring web protocols, which falls under this technique.
// T1566.002 - Phishing: Spearphishing Link
// The alert for a potentially malicious URL click is indicative of spearphishing attempts, where attackers use malicious links to compromise targets.
// T1078 - Valid Accounts
// The focus on critical identities and their email addresses suggests monitoring for the use of valid accounts, which is relevant to this technique.
// T1087.002 - Account Discovery: Domain Account
// The query’s identification of critical identities involves discovering domain accounts, aligning with this technique.

Explanation

This query is designed to detect and respond to security threats involving critical user identities within an organization. Here's a simplified breakdown:

  1. Purpose: The query aims to identify critical user accounts that have clicked on potentially malicious email links. This is part of a broader security strategy to protect against threats like phishing and unauthorized access.

  2. Process:

    • It first identifies "critical identities" from a dataset called ExposureGraphNodes. These are user accounts marked as critical based on their risk level.
    • It then checks for alerts indicating that a potentially malicious URL was clicked, specifically focusing on emails sent to these critical identities.
    • If such an event is detected, it suggests isolating the affected user accounts and devices to prevent further security breaches.
  3. Security Techniques:

    • The query aligns with several MITRE ATT&CK techniques, which are frameworks for understanding cyber threats:
      • T1071.001: Monitoring web protocols to detect malicious URL clicks.
      • T1566.002: Identifying spearphishing attempts through malicious links.
      • T1078: Monitoring the use of valid accounts, especially those deemed critical.
      • T1087.002: Discovering domain accounts to identify critical identities.

In summary, this query helps in early detection and containment of security threats by focusing on high-risk user accounts and their interactions with potentially harmful emails.

Details

Steven Lim profile picture

Steven Lim

Released: August 5, 2024

Tables

ExposureGraphNodesAlertInfoAlertEvidenceEmailEvents

Keywords

ExposureManagementDefenderOfficeDevicesUserEmailAccountAlertIdentity

Operators

letset_has_elementwhereisnotnulland<extendtostringdistinct==joinonhas_any

Actions

GitHub