MS Advance Hunting queries

sgroeneveld · February 21, 2024, 3:49pm

Hi here,

Today I have jumped into the lake called “Advanced Hunting” from MS Defender. I would like to to be able to trigger a workflow from the “Take Action” in IDR investigations. Let’s called it “MS Advanced Hunting URL search”

The workflow in this case would ask for the URL to be searched and runs the following query in MS Defender:

DeviceNetworkEvents
| where Timestamp > ago(7d)
and RemoteUrl has "{{URL}}"
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc

The problem I come across is that I am not able to fill in the URL anywhere. The URL does not have to be part of the evidence and if it is it can be located everywhere as each alert is different.

Any suggestion on how to work around this?

The workflow itself works brilliantly and when I hardcode for example Rapid7.com I get all the data I need.

Eric-Wilson · February 22, 2024, 2:58pm

You aren’t going to be able to input information into a workflow outside of using a Chat based trigger or the API trigger. I would suggest using a workflow to first forward your investigations to a Chat based channel, and then base your other workflow to trigger off of a chat command with your url parameter to pass into the rest of the workflow. There should be plenty of examples in the library to enrich IOCs from Slack or Teams to base yours off of.

sgroeneveld · February 22, 2024, 3:11pm

Yes that is what I ended up thinking about. Would be nice to have this functionality though