DefenderXDR Advanced Hunting All-In-One UPN Search
Steven Lim
Global Top 10 Cybersecurity Creators | VP | Director | KQLWizard | 100/100 Authenticity Score
This KQL query searches across these DefenderXDR log tables for the UPN variable that is defined at the start:
AlertEvidence, BehaviorEntities, BehaviorInfo, AADSignInEventsBeta, IdentityInfo, IdentityLogonEvents, UrlClickEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, DeviceRegistryEvents, CloudAppEvents, EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, CloudAuditEvents, ExposureGraphNodes
You can replace the ago(1d) & now() with more precise datetime(2024-03-31 23:59:59.9) if you know the search time frame.
You can click here to load the KQL query directly into your DefenderXDR Advanced Hunting. Enjoy! 🎉
Do support this article if you find the KQL useful and repost for sharing with the wider cyber defender community.
🔔 𝘊𝘭𝘪𝘤𝘬 𝘵𝘩𝘦 𝘣𝘦𝘭𝘭 𝘪𝘤𝘰𝘯🔔 𝘰𝘯 𝘮𝘺 𝘓𝘪𝘯𝘬𝘦𝘥𝘐𝘯 𝘱𝘳𝘰𝘧𝘪𝘭𝘦 𝘧𝘰𝘳 𝘮𝘰𝘳𝘦 futures 𝘶𝘱𝘥𝘢𝘵𝘦𝘴 to the🧙The KQL Grimoire📖!
#Microsoft #Sentinel #DefenderXDR #KQL #ThreatDetection #ThreatHunting #CyberSecurity #CyberDefender
Security Global Black Belt | Cybersecurity | Generative AI, Responsible AI | Security Copilot | Microsoft XDR | Microsoft Sentinel Co-host of the Microsoft Security Insights Podcast
1yThis is great
Azure Kusto Principal Program Manager at Microsoft
1yNo comment Steven Lim, hint hint 😊