Anomaly Detection in Microsoft 365 Defender

As a former incident responder, anomaly detection was part of my day-to-day job. When an attacker persists on an endpoint or within identity there is typically something that deviates from the norm – whether that be a misspelling, obscure launch string, odd configuration, or just general strange behavior. Because of this, many of the queries I used started by building a baseline and comparing everything else in the organization to it.

The problem with this approach is we’re typically applying a static analysis technique to a dynamic dataset. This means that these queries will many times exceed query caps designed for hunting through dynamic datasets, like a SIEM or EDR solution. Because of this, some of these queries will need to be tuned to work in your environment.

Since these may not work out-of-the-box they do not want me checking these queries into the public M365 Defender advanced hunting repository. Instead, I will provide them from my own personal KQL repository on GitHub.

KQL/MTP at master · mjmelone/KQL · GitHub

At some time in the future I will break down some of the techniques used in these queries, but for now I thought the community might benefit from their availability.

Enjoy, and happy hunting!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s