As a former incident responder, anomaly detection was part of my day-to-day job. When an attacker persists on an endpoint or within identity there is typically something that deviates from the norm – whether that be a misspelling, obscure launch string, odd configuration, or just general strange behavior. Because of this, many of the queries I used started by building a baseline and comparing everything else in the organization to it.
The problem with this approach is we’re typically applying a static analysis technique to a dynamic dataset. This means that these queries will many times exceed query caps designed for hunting through dynamic datasets, like a SIEM or EDR solution. Because of this, some of these queries will need to be tuned to work in your environment.
Since these may not work out-of-the-box they do not want me checking these queries into the public M365 Defender advanced hunting repository. Instead, I will provide them from my own personal KQL repository on GitHub.
At some time in the future I will break down some of the techniques used in these queries, but for now I thought the community might benefit from their availability.
Enjoy, and happy hunting!