Data Environment identifier: MSSentinel
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| Azure | get_vmcomputer_for_host | Returns most recent VMComputer record for Host | end (datetime), host_name (str), start (datetime) | VMComputer |
| Azure | get_vmcomputer_for_ip | Returns most recent VMComputer record for IPAddress | end (datetime), ip_address (str), start (datetime) | VMComputer |
| Azure | list_aad_signins_for_account | Returns Azure AD Signins for Account | end (datetime), start (datetime) | SigninLogs |
| Azure | list_aad_signins_for_ip | Returns Azure AD Signins for an IP Address | end (datetime), ip_address_list (list), start (datetime) | SigninLogs |
| Azure | list_all_signins_geo | Gets Signin data used by morph charts | end (datetime), start (datetime) | SigninLogs |
| Azure | list_azure_activity_for_account | Returns Azure Activity for Account | account_name (str), end (datetime), start (datetime) | AzureActivity |
| Azure | list_azure_activity_for_ip | Returns Azure Activity for Caller IP Address(es) | end (datetime), ip_address_list (list), start (datetime) | AzureActivity |
| Azure | list_azure_activity_for_resource | Returns Azure Activity for an Azure Resource ID | end (datetime), resource_id (str), start (datetime) | AzureActivity |
| Azure | list_storage_ops_for_hash | Returns Azure Storage Operations for an MD5 file hash | end (datetime), file_hash (str), start (datetime) | StorageFileLogs |
| Azure | list_storage_ops_for_ip | Returns Storage Operations for an IP Address | end (datetime), ip_address (str), start (datetime) | StorageFileLogs |
| AzureNetwork | all_network_connections_csl | Returns all network connections for a time range (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| AzureNetwork | az_net_analytics | Returns all Azure Network Flow (NSG) Data for a given host | end (datetime), start (datetime) | AzureNetworkAnalytics_CL |
| AzureNetwork | dns_lookups_for_domain | Returns DNS query events for a specified domain | domain (str), end (datetime), start (datetime) | DnsEvents |
| AzureNetwork | dns_lookups_for_ip | Returns Dns query events that contain a resolved IP address | end (datetime), ip_address (str), start (datetime) | DnsEvents |
| AzureNetwork | dns_lookups_from_ip | Returns Dns queries originating from a specified IP address | end (datetime), ip_address (str), start (datetime) | DnsEvents |
| AzureNetwork | get_heartbeat_for_host | Returns latest OMS Heartbeat event for host. | end (datetime), host_name (str), start (datetime) | Heartbeat |
| AzureNetwork | get_heartbeat_for_ip | Returns latest OMS Heartbeat event for ip address. | end (datetime), ip_address (str), start (datetime) | Heartbeat |
| AzureNetwork | get_host_for_ip | Returns the most recent Azure NSG Interface event for an IP Address. | end (datetime), ip_address (str), start (datetime) | AzureNetworkAnalytics_CL |
| AzureNetwork | get_ips_for_host | Returns the most recent Azure Network NSG Interface event for a host. | end (datetime), host_name (str), start (datetime) | AzureNetworkAnalytics_CL |
| AzureNetwork | host_network_connections_csl | Returns network connections to and from a host (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| AzureNetwork | hosts_by_ip_csl | Returns hosts associated with a IP addresses (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| AzureNetwork | ip_network_connections_csl | Returns network connections to and from an IP address (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| AzureNetwork | ips_by_host_csl | Returns all IP addresses associated with a host (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| AzureNetwork | list_azure_network_flows_by_host | Returns Azure NSG flow events for a host. | end (datetime), host_name (str), start (datetime) | AzureNetworkAnalytics_CL |
| AzureNetwork | list_azure_network_flows_by_ip | Returns Azure NSG flow events for an IP Address. | end (datetime), ip_address_list (list), start (datetime) | AzureNetworkAnalytics_CL |
| AzureNetwork | network_connections_to_url | Returns connections to a URL or domain (CommonSecurityLog) | end (datetime), start (datetime), url (str) | CommonSecurityLog |
| AzureSentinel | get_bookmark_by_id | Returns a single Bookmark by BookmarkId | bookmark_id (str), end (datetime), start (datetime) | HuntingBookmark |
| AzureSentinel | get_bookmark_by_name | Retrieves one or more Bookmarks by Bookmark Name | bookmark_name (str), end (datetime), start (datetime) | HuntingBookmark |
| AzureSentinel | get_dynamic_summary_by_id | Returns a Dynamic Summary by SummaryId | end (datetime), start (datetime), summary_id (str) | DynamicSummary |
| AzureSentinel | get_dynamic_summary_by_name | Returns a Dynamic Summary by Name | end (datetime), start (datetime), summary_name (str) | DynamicSummary |
| AzureSentinel | list_bookmarks | Retrieves list of bookmarks for a time range | end (datetime), start (datetime) | HuntingBookmark |
| AzureSentinel | list_bookmarks_for_entity | Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier | end (datetime), start (datetime) | HuntingBookmark |
| AzureSentinel | list_bookmarks_for_tags | Returns Bookmark by one or more Tags | bookmark_tags (list), end (datetime), start (datetime) | HuntingBookmark |
| AzureSentinel | list_dynamic_summaries | Returns all Dynamic Summaries by time range | end (datetime), start (datetime) | DynamicSummary |
| Heartbeat | get_heartbeat_for_host | Returns latest OMS Heartbeat event for host. | end (datetime), host_name (str), start (datetime) | Heartbeat |
| Heartbeat | get_heartbeat_for_ip | Returns latest OMS Heartbeat event for ip address. | end (datetime), ip_address (str), start (datetime) | Heartbeat |
| Heartbeat | get_info_by_hostname | Deprecated - use 'get_heartbeat_for_host' | end (datetime), host_name (str), start (datetime) | Heartbeat |
| Heartbeat | get_info_by_ipaddress | Deprecated - use 'get_heartbeat_for_ip' | end (datetime), ip_address (str), start (datetime) | Heartbeat |
| IdentityOnPrem | logons_for_account | Return all Active Directory on-premises user logons for user name | account_name (str), end (datetime), start (datetime) | IdentityLogonEvents |
| IdentityOnPrem | logons_for_host | Return all Active Directory on-premises user logons for host/device name | end (datetime), host_name (str), start (datetime) | IdentityLogonEvents |
| IdentityOnPrem | logons_for_ip | Return all Active Directory on-premises user logons for ip address | end (datetime), ip_address (str), start (datetime) | IdentityLogonEvents |
| LinuxAudit | auditd_all | Extract all audit messages grouped by mssg_id | end (datetime), start (datetime) | AuditLog_CL |
| LinuxSyslog | all_syslog | Returns all syslog activity for a host | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | cron_activity | Returns all cron activity for a host | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | list_account_logon_failures | All failed user logon events for account name | account_name (str), end (datetime), start (datetime) | Syslog |
| LinuxSyslog | list_host_logon_failures | Failed user logon events on a host | end (datetime), host_name (str), start (datetime) | Syslog |
| LinuxSyslog | list_ip_logon_failures | Failed user logon events from an IP address | end (datetime), ip_address (str), start (datetime) | Syslog |
| LinuxSyslog | list_logon_failures | All failed user logon events on any host | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | list_logons_for_account | Successful user logon events for account name (all hosts) | account_name (str), end (datetime), start (datetime) | Syslog |
| LinuxSyslog | list_logons_for_host | All logon events on a host | end (datetime), host_name (str), start (datetime) | Syslog |
| LinuxSyslog | list_logons_for_source_ip | Successful user logon events for source IP (all hosts) | end (datetime), ip_address (str), start (datetime) | Syslog |
| LinuxSyslog | notable_events | Returns all 'alert' and 'crit' syslog activity for a host | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | squid_activity | Returns all squid proxy activity for a host | end (datetime), host_name (str), start (datetime) | Syslog |
| LinuxSyslog | sudo_activity | Returns all sudo activity for a host and account name | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | summarize_events | Returns summarized syslog activity for a host | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | sysmon_process_events | Sysmon Process Events on host | end (datetime), host_name (str), start (datetime) | |
| LinuxSyslog | user_group_activity | Returns all user/group additions, deletions, and modifications for a host | end (datetime), start (datetime) | Syslog |
| LinuxSyslog | user_logon | User logon events on a host | end (datetime), host_name (str), start (datetime) | Syslog |
| M365D | application_alerts | Lists alerts associated with a cloud app or OAuth app | app_name (str), end (datetime), start (datetime) | AlertInfo |
| M365D | host_alerts | Lists alerts associated with host/device name | end (datetime), host_name (str), start (datetime) | AlertInfo |
| M365D | host_connections | Returns connections by a specified hostname | end (datetime), host_name (str), start (datetime) | DeviceNetworkEvents |
| M365D | ip_alerts | Lists alerts associated with a specified remote IP | end (datetime), ip_address (str), start (datetime) | AlertInfo |
| M365D | ip_connections | Returns network connections associated with a specified remote IP | end (datetime), ip_address (str), start (datetime) | DeviceNetworkEvents |
| M365D | list_alerts | Retrieves list of alerts | end (datetime), start (datetime) | AlertInfo |
| M365D | list_alerts_with_evidence | Retrieves list of alerts with their evidence | end (datetime), start (datetime) | AlertInfo |
| M365D | list_connections | Retrieves list of all network connections | end (datetime), start (datetime) | DeviceNetworkEvents |
| M365D | list_file_events_for_filename | Lists all file events by filename | end (datetime), file_name (str), start (datetime) | DeviceFileEvents |
| M365D | list_file_events_for_hash | Lists all file events by hash | end (datetime), file_hash (str), start (datetime) | DeviceFileEvents |
| M365D | list_file_events_for_host | Lists all file events for a host/device | end (datetime), start (datetime) | DeviceFileEvents |
| M365D | list_file_events_for_path | Lists all file events from files in a certain path | end (datetime), path (str), start (datetime) | DeviceFileEvents |
| M365D | list_host_processes | Return all process creations for a host for the specified time range | end (datetime), host_name (str), start (datetime) | DeviceProcessEvents |
| M365D | mail_message_alerts | Lists alerts associated with a specified mail message | end (datetime), message_id (str), start (datetime) | AlertInfo |
| M365D | mailbox_alerts | Lists alerts associated with a specified mailbox | end (datetime), mailbox (str), start (datetime) | AlertInfo |
| M365D | process_alerts | Lists alerts associated with a specified process | end (datetime), file_name (str), start (datetime) | AlertInfo |
| M365D | process_cmd_line | Lists all processes with a command line containing a string (all hosts) | cmd_line (str), end (datetime), start (datetime) | DeviceProcessEvents |
| M365D | process_creations | Return all processes with matching name or hash (all hosts) | end (datetime), process_identifier (str), start (datetime) | DeviceProcessEvents |
| M365D | process_paths | Return all processes with a matching path (part path) (all hosts) | end (datetime), file_path (str), start (datetime) | DeviceProcessEvents |
| M365D | protocol_connections | Returns connections associated with a specified protocol (port number) | end (datetime), protocol (str), start (datetime) | DeviceNetworkEvents |
| M365D | registry_key_alerts | Lists alerts associated with a specified registry key | end (datetime), key_name (str), start (datetime) | AlertInfo |
| M365D | sha1_alerts | Lists alerts associated with a specified SHA1 hash | end (datetime), file_hash (str), start (datetime) | AlertInfo |
| M365D | sha256_alerts | Lists alerts associated with a specified SHA256 hash | end (datetime), file_hash (str), start (datetime) | AlertInfo |
| M365D | url_alerts | Lists alerts associated with a specified URL | end (datetime), start (datetime), url (str) | AlertInfo |
| M365D | url_connections | Returns connections associated with a specified URL | end (datetime), start (datetime), url (str) | DeviceNetworkEvents |
| M365D | user_alerts | Lists alerts associated with a specified user | account_name (str), end (datetime), start (datetime) | AlertInfo |
| M365D | user_files | Return all files created by a user | account_name (str), end (datetime), start (datetime) | |
| M365D | user_logons | Return all user logons for user name | account_name (str), end (datetime), start (datetime) | |
| M365D | user_network | Return all network connections associated with a user | account_name (str), end (datetime), start (datetime) | |
| M365D | user_processes | Return all processes created by a user | account_name (str), end (datetime), start (datetime) | |
| M365DHunting | accessibility_persistence | This query looks for persistence or privilege escalation done using Windows Accessibility features. | end (datetime), start (datetime) | |
| M365DHunting | av_sites | Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites | end (datetime), start (datetime) | |
| M365DHunting | b64_pe | Finding base64 encoded PE files header seen in the command line parameters | end (datetime), start (datetime) | |
| M365DHunting | brute_force | Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. | end (datetime), start (datetime) | |
| M365DHunting | cve_2018_1000006l | Looks for CVE-2018-1000006 exploitation | end (datetime), start (datetime) | |
| M365DHunting | cve_2018_1111 | Looks for CVE-2018-1111 exploitation | end (datetime), start (datetime) | |
| M365DHunting | cve_2018_4878 | This query checks for specific processes and domain TLD used in the CVE-2018-4878 | end (datetime), start (datetime) | |
| M365DHunting | doc_with_link | Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. | end (datetime), start (datetime) | |
| M365DHunting | dropbox_link | Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. | end (datetime), start (datetime) | |
| M365DHunting | email_link | Look for links opened from mail apps – if a detection occurred right afterwards | end (datetime), start (datetime) | |
| M365DHunting | email_smartscreen | Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning | end (datetime), start (datetime) | |
| M365DHunting | malware_recycle | Finding attackers hiding malware in the recycle bin. | end (datetime), start (datetime) | |
| M365DHunting | network_scans | Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process | end (datetime), start (datetime) | |
| M365DHunting | powershell_downloads | Finds PowerShell execution events that could involve a download. | end (datetime), start (datetime) | |
| M365DHunting | service_account_powershell | Service Accounts Performing Remote PowerShell | end (datetime), start (datetime) | |
| M365DHunting | smartscreen_ignored | Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. | end (datetime), start (datetime) | |
| M365DHunting | smb_discovery | Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. | end (datetime), start (datetime) | |
| M365DHunting | tor | Looks for Tor client, or for a common Tor plugin called Meek. | end (datetime), start (datetime) | |
| M365DHunting | uncommon_powershell | Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. | end (datetime), host_name (str), start (datetime), timestamp (str) | |
| M365DHunting | user_enumeration | The query finds attempts to list users or groups using Net commands | end (datetime), start (datetime) | |
| MDEHunting | accessibility_persistence | This query looks for persistence or privilege escalation done using Windows Accessibility features. | end (datetime), start (datetime) | |
| MDEHunting | av_sites | Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites | end (datetime), start (datetime) | |
| MDEHunting | b64_pe | Finding base64 encoded PE files header seen in the command line parameters | end (datetime), start (datetime) | |
| MDEHunting | brute_force | Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. | end (datetime), start (datetime) | |
| MDEHunting | cve_2018_1000006l | Looks for CVE-2018-1000006 exploitation | end (datetime), start (datetime) | |
| MDEHunting | cve_2018_1111 | Looks for CVE-2018-1111 exploitation | end (datetime), start (datetime) | |
| MDEHunting | cve_2018_4878 | This query checks for specific processes and domain TLD used in the CVE-2018-4878 | end (datetime), start (datetime) | |
| MDEHunting | doc_with_link | Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. | end (datetime), start (datetime) | |
| MDEHunting | dropbox_link | Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. | end (datetime), start (datetime) | |
| MDEHunting | email_link | Look for links opened from mail apps – if a detection occurred right afterwards | end (datetime), start (datetime) | |
| MDEHunting | email_smartscreen | Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning | end (datetime), start (datetime) | |
| MDEHunting | malware_recycle | Finding attackers hiding malware in the recycle bin. | end (datetime), start (datetime) | |
| MDEHunting | network_scans | Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process | end (datetime), start (datetime) | |
| MDEHunting | powershell_downloads | Finds PowerShell execution events that could involve a download. | end (datetime), start (datetime) | |
| MDEHunting | service_account_powershell | Service Accounts Performing Remote PowerShell | end (datetime), start (datetime) | |
| MDEHunting | smartscreen_ignored | Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. | end (datetime), start (datetime) | |
| MDEHunting | smb_discovery | Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. | end (datetime), start (datetime) | |
| MDEHunting | tor | Looks for Tor client, or for a common Tor plugin called Meek. | end (datetime), start (datetime) | |
| MDEHunting | uncommon_powershell | Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. | end (datetime), host_name (str), start (datetime), timestamp (str) | |
| MDEHunting | user_enumeration | The query finds attempts to list users or groups using Net commands | end (datetime), start (datetime) | |
| MSSentinel | get_bookmark_by_id | Returns a single Bookmark by BookmarkId | bookmark_id (str), end (datetime), start (datetime) | HuntingBookmark |
| MSSentinel | get_bookmark_by_name | Retrieves one or more Bookmarks by Bookmark Name | bookmark_name (str), end (datetime), start (datetime) | HuntingBookmark |
| MSSentinel | get_dynamic_summary_by_id | Returns a Dynamic Summary by SummaryId | end (datetime), start (datetime), summary_id (str) | DynamicSummary |
| MSSentinel | get_dynamic_summary_by_name | Returns a Dynamic Summary by Name | end (datetime), start (datetime), summary_name (str) | DynamicSummary |
| MSSentinel | list_bookmarks | Retrieves list of bookmarks for a time range | end (datetime), start (datetime) | HuntingBookmark |
| MSSentinel | list_bookmarks_for_entity | Retrieves bookmarks for a host, account, ip address, domain, url or other entity identifier | end (datetime), start (datetime) | HuntingBookmark |
| MSSentinel | list_bookmarks_for_tags | Returns Bookmark by one or more Tags | bookmark_tags (list), end (datetime), start (datetime) | HuntingBookmark |
| MSSentinel | list_dynamic_summaries | Returns all Dynamic Summaries by time range | end (datetime), start (datetime) | DynamicSummary |
| MultiDataSource | get_timeseries_anomalies | Time Series filtered anomalies using native KQL analysis (series_decompose_anomalies) | end (datetime), start (datetime), table (str) | na |
| MultiDataSource | get_timeseries_data | Generic query to return TimeSeriesData for use with native KQL time series functions | end (datetime), start (datetime), table (str) | na |
| MultiDataSource | get_timeseries_decompose | Generic Time Series decomposition using native KQL analysis (series_decompose) | end (datetime), start (datetime), table (str) | na |
| MultiDataSource | plot_timeseries_datawithbaseline | Plot of Time Series data using native KQL analysis and plot rendering (KQLMagic only) | end (datetime), start (datetime), table (str) | na |
| MultiDataSource | plot_timeseries_scoreanomolies | Plot Time Series anomaly score using native KQL render (KQLMagic only) | end (datetime), start (datetime), table (str) | na |
| Network | all_network_connections_csl | Returns all network connections for a time range (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| Network | get_heartbeat_for_host | Returns latest OMS Heartbeat event for host. | end (datetime), host_name (str), start (datetime) | Heartbeat |
| Network | get_heartbeat_for_ip | Returns latest OMS Heartbeat event for ip address. | end (datetime), ip_address (str), start (datetime) | Heartbeat |
| Network | get_host_for_ip | Returns the most recent Azure NSG Interface event for an IP Address. | end (datetime), ip_address (str), start (datetime) | AzureNetworkAnalytics_CL |
| Network | get_ips_for_host | Returns the most recent Azure Network NSG Interface event for a host. | end (datetime), host_name (str), start (datetime) | AzureNetworkAnalytics_CL |
| Network | host_network_connections_csl | Returns network connections to and from a host (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| Network | hosts_by_ip_csl | Returns hosts associated with a IP addresses (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| Network | ip_network_connections_csl | Returns network connections to and from an IP address (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| Network | ips_by_host_csl | Returns all IP addresses associated with a host (CommonSecurityLog) | end (datetime), start (datetime) | CommonSecurityLog |
| Network | list_azure_network_flows_by_host | Returns Azure NSG flow events for a host. | end (datetime), host_name (str), start (datetime) | AzureNetworkAnalytics_CL |
| Network | list_azure_network_flows_by_ip | Returns Azure NSG flow events for an IP Address. | end (datetime), ip_address_list (list), start (datetime) | AzureNetworkAnalytics_CL |
| Network | network_connections_to_url | Returns connections to a URL or domain (CommonSecurityLog) | end (datetime), start (datetime), url (str) | CommonSecurityLog |
| Office365 | list_activity_for_account | Lists Office/O365 Activity for Account | account_name (str), end (datetime), start (datetime) | OfficeActivity |
| Office365 | list_activity_for_ip | Lists Office/O365 Activity for Caller IP Address(es) | end (datetime), ip_address_list (list), start (datetime) | OfficeActivity |
| Office365 | list_activity_for_resource | Lists Office/O365 Activity for a Resource (OfficeObjectId) | end (datetime), resource_id (str), start (datetime) | OfficeActivity |
| SecurityAlert | get_alert | Retrieves a single alert by SystemAlertId | system_alert_id (str) | SecurityAlert |
| SecurityAlert | list_alerts | Returns security alerts for a given time range | end (datetime), start (datetime) | SecurityAlert |
| SecurityAlert | list_alerts_counts | Returns summary count of alerts by type | end (datetime), start (datetime) | SecurityAlert |
| SecurityAlert | list_alerts_for_ip | Returns alerts with the specified IP Address or addresses. | end (datetime), source_ip_list (str), start (datetime) | SecurityAlert |
| SecurityAlert | list_related_alerts | Returns alerts with a host, account or process entity | end (datetime), start (datetime) | SecurityAlert |
| ThreatIntelligence | list_indicators | Returns list of all current indicators. | end (datetime), start (datetime) | ThreatIntelligenceIndicator |
| ThreatIntelligence | list_indicators_by_domain | Returns list of indicators by domain | domain_list (list), end (datetime), start (datetime) | ThreatIntelligenceIndicator |
| ThreatIntelligence | list_indicators_by_email | Returns list of indicators by email address | end (datetime), observables (list), start (datetime) | ThreatIntelligenceIndicator |
| ThreatIntelligence | list_indicators_by_filepath | Returns list of indicators by file path | end (datetime), observables (list), start (datetime) | ThreatIntelligenceIndicator |
| ThreatIntelligence | list_indicators_by_hash | Returns list of indicators by file hash | end (datetime), file_hash_list (list), start (datetime) | ThreatIntelligenceIndicator |
| ThreatIntelligence | list_indicators_by_ip | Returns list of indicators by IP Address | end (datetime), ip_address_list (list), start (datetime) | ThreatIntelligenceIndicator |
| ThreatIntelligence | list_indicators_by_url | Returns list of indicators by URL | end (datetime), start (datetime), url_list (list) | ThreatIntelligenceIndicator |
| WindowsSecurity | account_change_events | Returns events related to account changes | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | get_host_logon | Returns the logon event for the logon session id on a host | end (datetime), host_name (str), logon_session_id (str), start (datetime) | SecurityEvent |
| WindowsSecurity | get_parent_process | Returns the parent process of process (process id, session id and host name) | end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | get_process_tree | Returns the process tree for process id, session id and host name. | end (datetime), host_name (str), logon_session_id (str), process_id (str), process_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_all_logons_by_host | Returns all failed or successful logons on a host | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_events | Retrieves list of all events | end (datetime), start (datetime) | SecurityEvent |
| WindowsSecurity | list_events_by_id | Returns list of events on a host by EventID | end (datetime), event_list (list), start (datetime) | SecurityEvent |
| WindowsSecurity | list_host_events | Returns list of all events on a host | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_host_events_by_id | Returns list of specified event IDs on a host | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_host_logon_failures | Returns the logon failure events on a host for time range | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_host_logons | Returns the logon events on a host for time range | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_host_processes | Returns list of processes on a host for a time range | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_hosts_matching_commandline | Returns processes on hosts with matching command line | commandline (str), end (datetime), process_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_logon_attempts_by_account | Retrieves all logon events for an account (all hosts) | account_name (str), end (datetime), start (datetime) | SecurityEvent |
| WindowsSecurity | list_logon_attempts_by_ip | Returns the logon events for an IP Address (all hosts) | end (datetime), ip_address (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_logon_failures_by_account | Returns the logon failure events for an account (all hosts) | account_name (str), end (datetime), start (datetime) | SecurityEvent |
| WindowsSecurity | list_logons_by_account | Returns the logon success events for an account (all hosts) | account_name (str), end (datetime), start (datetime) | SecurityEvent |
| WindowsSecurity | list_matching_processes | Returns list of processes matching process name (all hosts) | end (datetime), process_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_other_events | Returns list of events other than logon and process on a host | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | list_processes_in_session | Returns all processes on the host for a logon session | end (datetime), host_name (str), logon_session_id (str), start (datetime) | SecurityEvent |
| WindowsSecurity | notable_events | Return other significant Windows events not returned in other queries | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | schdld_tasks_and_services | Returns scheduled tasks and services events (4698, 4700, 4697, 4702) | end (datetime), host_name (str), start (datetime) | SecurityEvent |
| WindowsSecurity | summarize_events | Summarize the events on a host by event type | end (datetime), host_name (str), start (datetime) | SecurityEvent |
Data Environment identifier: M365D
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| IdentityOnPrem | logons_for_account | Return all Active Directory on-premises user logons for user name | account_name (str), end (datetime), start (datetime) | IdentityLogonEvents |
| IdentityOnPrem | logons_for_host | Return all Active Directory on-premises user logons for host/device name | end (datetime), host_name (str), start (datetime) | IdentityLogonEvents |
| IdentityOnPrem | logons_for_ip | Return all Active Directory on-premises user logons for ip address | end (datetime), ip_address (str), start (datetime) | IdentityLogonEvents |
| M365D | application_alerts | Lists alerts associated with a cloud app or OAuth app | app_name (str), end (datetime), start (datetime) | AlertInfo |
| M365D | host_alerts | Lists alerts associated with host/device name | end (datetime), host_name (str), start (datetime) | AlertInfo |
| M365D | host_connections | Returns connections by a specified hostname | end (datetime), host_name (str), start (datetime) | DeviceNetworkEvents |
| M365D | ip_alerts | Lists alerts associated with a specified remote IP | end (datetime), ip_address (str), start (datetime) | AlertInfo |
| M365D | ip_connections | Returns network connections associated with a specified remote IP | end (datetime), ip_address (str), start (datetime) | DeviceNetworkEvents |
| M365D | list_alerts | Retrieves list of alerts | end (datetime), start (datetime) | AlertInfo |
| M365D | list_alerts_with_evidence | Retrieves list of alerts with their evidence | end (datetime), start (datetime) | AlertInfo |
| M365D | list_connections | Retrieves list of all network connections | end (datetime), start (datetime) | DeviceNetworkEvents |
| M365D | list_file_events_for_filename | Lists all file events by filename | end (datetime), file_name (str), start (datetime) | DeviceFileEvents |
| M365D | list_file_events_for_hash | Lists all file events by hash | end (datetime), file_hash (str), start (datetime) | DeviceFileEvents |
| M365D | list_file_events_for_host | Lists all file events for a host/device | end (datetime), start (datetime) | DeviceFileEvents |
| M365D | list_file_events_for_path | Lists all file events from files in a certain path | end (datetime), path (str), start (datetime) | DeviceFileEvents |
| M365D | list_host_processes | Return all process creations for a host for the specified time range | end (datetime), host_name (str), start (datetime) | DeviceProcessEvents |
| M365D | mail_message_alerts | Lists alerts associated with a specified mail message | end (datetime), message_id (str), start (datetime) | AlertInfo |
| M365D | mailbox_alerts | Lists alerts associated with a specified mailbox | end (datetime), mailbox (str), start (datetime) | AlertInfo |
| M365D | process_alerts | Lists alerts associated with a specified process | end (datetime), file_name (str), start (datetime) | AlertInfo |
| M365D | process_cmd_line | Lists all processes with a command line containing a string (all hosts) | cmd_line (str), end (datetime), start (datetime) | DeviceProcessEvents |
| M365D | process_creations | Return all processes with matching name or hash (all hosts) | end (datetime), process_identifier (str), start (datetime) | DeviceProcessEvents |
| M365D | process_paths | Return all processes with a matching path (part path) (all hosts) | end (datetime), file_path (str), start (datetime) | DeviceProcessEvents |
| M365D | protocol_connections | Returns connections associated with a specified protocol (port number) | end (datetime), protocol (str), start (datetime) | DeviceNetworkEvents |
| M365D | registry_key_alerts | Lists alerts associated with a specified registry key | end (datetime), key_name (str), start (datetime) | AlertInfo |
| M365D | sha1_alerts | Lists alerts associated with a specified SHA1 hash | end (datetime), file_hash (str), start (datetime) | AlertInfo |
| M365D | sha256_alerts | Lists alerts associated with a specified SHA256 hash | end (datetime), file_hash (str), start (datetime) | AlertInfo |
| M365D | url_alerts | Lists alerts associated with a specified URL | end (datetime), start (datetime), url (str) | AlertInfo |
| M365D | url_connections | Returns connections associated with a specified URL | end (datetime), start (datetime), url (str) | DeviceNetworkEvents |
| M365D | user_alerts | Lists alerts associated with a specified user | account_name (str), end (datetime), start (datetime) | AlertInfo |
| M365D | user_files | Return all files created by a user | account_name (str), end (datetime), start (datetime) | |
| M365D | user_logons | Return all user logons for user name | account_name (str), end (datetime), start (datetime) | |
| M365D | user_network | Return all network connections associated with a user | account_name (str), end (datetime), start (datetime) | |
| M365D | user_processes | Return all processes created by a user | account_name (str), end (datetime), start (datetime) | |
| M365DHunting | accessibility_persistence | This query looks for persistence or privilege escalation done using Windows Accessibility features. | end (datetime), start (datetime) | |
| M365DHunting | av_sites | Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites | end (datetime), start (datetime) | |
| M365DHunting | b64_pe | Finding base64 encoded PE files header seen in the command line parameters | end (datetime), start (datetime) | |
| M365DHunting | brute_force | Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. | end (datetime), start (datetime) | |
| M365DHunting | cve_2018_1000006l | Looks for CVE-2018-1000006 exploitation | end (datetime), start (datetime) | |
| M365DHunting | cve_2018_1111 | Looks for CVE-2018-1111 exploitation | end (datetime), start (datetime) | |
| M365DHunting | cve_2018_4878 | This query checks for specific processes and domain TLD used in the CVE-2018-4878 | end (datetime), start (datetime) | |
| M365DHunting | doc_with_link | Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. | end (datetime), start (datetime) | |
| M365DHunting | dropbox_link | Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. | end (datetime), start (datetime) | |
| M365DHunting | email_link | Look for links opened from mail apps – if a detection occurred right afterwards | end (datetime), start (datetime) | |
| M365DHunting | email_smartscreen | Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning | end (datetime), start (datetime) | |
| M365DHunting | malware_recycle | Finding attackers hiding malware in the recycle bin. | end (datetime), start (datetime) | |
| M365DHunting | network_scans | Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process | end (datetime), start (datetime) | |
| M365DHunting | powershell_downloads | Finds PowerShell execution events that could involve a download. | end (datetime), start (datetime) | |
| M365DHunting | service_account_powershell | Service Accounts Performing Remote PowerShell | end (datetime), start (datetime) | |
| M365DHunting | smartscreen_ignored | Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. | end (datetime), start (datetime) | |
| M365DHunting | smb_discovery | Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. | end (datetime), start (datetime) | |
| M365DHunting | tor | Looks for Tor client, or for a common Tor plugin called Meek. | end (datetime), start (datetime) | |
| M365DHunting | uncommon_powershell | Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. | end (datetime), host_name (str), start (datetime), timestamp (str) | |
| M365DHunting | user_enumeration | The query finds attempts to list users or groups using Net commands | end (datetime), start (datetime) | |
| MDEHunting | accessibility_persistence | This query looks for persistence or privilege escalation done using Windows Accessibility features. | end (datetime), start (datetime) | |
| MDEHunting | av_sites | Pivot from downloads detected by Windows Defender Antivirus to other files downloaded from the same sites | end (datetime), start (datetime) | |
| MDEHunting | b64_pe | Finding base64 encoded PE files header seen in the command line parameters | end (datetime), start (datetime) | |
| MDEHunting | brute_force | Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. | end (datetime), start (datetime) | |
| MDEHunting | cve_2018_1000006l | Looks for CVE-2018-1000006 exploitation | end (datetime), start (datetime) | |
| MDEHunting | cve_2018_1111 | Looks for CVE-2018-1111 exploitation | end (datetime), start (datetime) | |
| MDEHunting | cve_2018_4878 | This query checks for specific processes and domain TLD used in the CVE-2018-4878 | end (datetime), start (datetime) | |
| MDEHunting | doc_with_link | Looks for a Word document attachment, from which a link was clicked, and after which there was a browser download. | end (datetime), start (datetime) | |
| MDEHunting | dropbox_link | Looks for user content downloads from dropbox that originate from a link/redirect from a 3rd party site. | end (datetime), start (datetime) | |
| MDEHunting | email_link | Look for links opened from mail apps – if a detection occurred right afterwards | end (datetime), start (datetime) | |
| MDEHunting | email_smartscreen | Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning | end (datetime), start (datetime) | |
| MDEHunting | malware_recycle | Finding attackers hiding malware in the recycle bin. | end (datetime), start (datetime) | |
| MDEHunting | network_scans | Looking for high volume queries against a given RemoteIP, per ComputerName, RemotePort and Process | end (datetime), start (datetime) | |
| MDEHunting | powershell_downloads | Finds PowerShell execution events that could involve a download. | end (datetime), start (datetime) | |
| MDEHunting | service_account_powershell | Service Accounts Performing Remote PowerShell | end (datetime), start (datetime) | |
| MDEHunting | smartscreen_ignored | Query for SmartScreen URL blocks, where the user has decided to run the malware nontheless. | end (datetime), start (datetime) | |
| MDEHunting | smb_discovery | Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares. | end (datetime), start (datetime) | |
| MDEHunting | tor | Looks for Tor client, or for a common Tor plugin called Meek. | end (datetime), start (datetime) | |
| MDEHunting | uncommon_powershell | Find which uncommon Powershell Cmdlets were executed on that machine in a certain time period. | end (datetime), host_name (str), start (datetime), timestamp (str) | |
| MDEHunting | user_enumeration | The query finds attempts to list users or groups using Net commands | end (datetime), start (datetime) |
Data Environment identifier: SecurityGraph
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| SecurityGraphAlert | get_alert | Retrieves a single alert by AlertId | alert_id (str) | |
| SecurityGraphAlert | list_alerts | Retrieves list of alerts | end (datetime), start (datetime) | |
| SecurityGraphAlert | list_alerts_for_file | Retrieves list of alerts for file name, path or hash | end (datetime), start (datetime) | |
| SecurityGraphAlert | list_alerts_for_host | Retrieves list of alerts for a hostname or FQDN | end (datetime), host_name (str), start (datetime) | |
| SecurityGraphAlert | list_alerts_for_ip | Retrieves list of alerts for a IP Address | end (datetime), ip_address (str), start (datetime) | |
| SecurityGraphAlert | list_alerts_for_user | Retrieves list of alerts for a user account | end (datetime), start (datetime) | |
| SecurityGraphAlert | list_related_alerts | Retrieves list of alerts with a common entity | end (datetime), start (datetime) |
Data Environment identifier: Splunk
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| Alerts | list_alerts | Retrieves list of alerts | end (datetime), start (datetime) | |
| Alerts | list_alerts_for_dest_ip | Retrieves list of alerts with a common destination IP Address | end (datetime), ip_address (str), start (datetime) | |
| Alerts | list_alerts_for_src_ip | Retrieves list of alerts with a common source IP Address | end (datetime), ip_address (str), start (datetime) | |
| Alerts | list_alerts_for_user | Retrieves list of alerts with a common username | end (datetime), start (datetime), user (str) | |
| Alerts | list_all_alerts | Retrieves all configured alerts | end (datetime), start (datetime) | |
| Authentication | list_logon_failures | All failed user logon events on any host | end (datetime), start (datetime) | |
| Authentication | list_logons_for_account | All successful user logon events for account (all hosts) | account_name (str), end (datetime), start (datetime) | |
| Authentication | list_logons_for_host | All logon events on a host | end (datetime), host_name (str), start (datetime) | |
| Authentication | list_logons_for_source_ip | All successful user logon events for source IP (all hosts) | end (datetime), ip_address (str), start (datetime) | |
| SplunkGeneral | get_events_parameterized | Generic parameterized query from index/source | end (datetime), start (datetime) | |
| SplunkGeneral | list_all_datatypes | Summary of all events by index and sourcetype | end (datetime), start (datetime) | |
| SplunkGeneral | list_all_savedsearches | Retrieves all saved searches | end (datetime), start (datetime) | |
| audittrail | list_all_audittrail | Retrieves all audit trail logs | end (datetime), start (datetime) |
Data Environment identifier: ResourceGraph
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| ResourceGraph | list_detailed_virtual_machines | Retrieves list of VMs with network details | resources | |
| ResourceGraph | list_public_ips | Retrieves list of resources with public IP addresses | resources | |
| ResourceGraph | list_resources | Retrieves list of resources | resources | |
| ResourceGraph | list_resources_by_api_version | Retrieves list of resources for each API version | resources | |
| ResourceGraph | list_resources_by_type | Retrieves list of resources by type | resource_type (str) | resources |
| ResourceGraph | list_virtual_machines | Retrieves list of VM resources | resources | |
| Sentinel | get_sentinel_workspace_for_resource_id | Retrieves Sentinel/Azure monitor workspace details by resource ID | resource_id (str) | resources |
| Sentinel | get_sentinel_workspace_for_workspace_id | Retrieves Sentinel/Azure monitor workspace details by workspace ID | workspace_id (str) | resources |
| Sentinel | list_sentinel_workspaces_for_name | Retrieves Sentinel/Azure monitor workspace(s) details by name and optionally resource group and/or subscription_id | workspace_name (str) | resources |
Data Environment identifier: Sumologic
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| SumologicGeneral | list_all_datatypes | Summary of all events by sourceCategory | end (datetime), start (datetime) |
Data Environment identifier: LocalData
| QueryGroup | Query | Description | Req-Params | Table |
|---|---|---|---|---|
| Azure | list_all_signins_geo | List all Azure AD logon events | ||
| Network | list_azure_network_flows_by_host | List Azure Network flows by host name | ||
| Network | list_azure_network_flows_by_ip | List Azure Network flows by IP address | ||
| SecurityAlert | list_alerts | Retrieves list of alerts | ||
| WindowsSecurity | get_process_tree | Get process tree for a process | ||
| WindowsSecurity | list_host_events | List events failures on host | ||
| WindowsSecurity | list_host_logon_failures | List logon failures on host | ||
| WindowsSecurity | list_host_logons | List logons on host | ||
| WindowsSecurity | list_host_processes | List processes on host |