Tuesday, August 24, 2021

Advanced Hunting: Surfacing more email data from Microsoft Defender for Office 365

As part of this update, we have added new columns that enable more relevant and effective investigations. These additions to the EmailEvents, EmailAttachmentInfo, and EmailPostDeliveryEvents tables are currently available in public preview.

We've made the following updates to these tables:

 

  • AuthenticationDetails (EmailEvents table) – This column includes detailed information about the different authentication checks that have been applied or analyzed like SPF, DKIM, DMARC, and CompAuth methods. While SPF, DKIM, and DMARC are the industry standard checks, composite authentication or compAuth is a value used to indicate that a combination of different email authentication checks, like SPF, DKIM, and DMARC, were used to determine if the message is authentic. It uses the  domain in the From field of the email as basis for the evaluation.

Note: In some cases, a record will not show all the values in this column. This can occur if a partial check was needed to return a verdict for the email.

  • Filesize (EmailAttachmentInfo table) – This column provides the size of an email attachment in bytes.
  • ThreatTypes and details (EmailPostDeliveryEvents table) – Before the update, the EmailPostDeliveryEvents table already contained information about all actions attempted on an email after delivery, including ZAP and manual remediation actions. In addition to the action metadata, we've added details about threats and detection methods (when applicable) as separate columns within the table. This is useful for hunting scenarios involving delayed weaponization or updated verdicts. For these cases, look to join the events with the EmailEvents table to get a more comprehensive view.

Here are few examples which make use of these fields:

 

// Check for spoofing attempts on the domain with SPF fails 
EmailEvents |where Timestamp > ago (1d) and DetectionMethods contains "spoof" and SenderFromDomain has "contoso.com" 
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames 
| evaluate bag_unpack(AR) 
| where SPF == "fail" 

 

 

// Identify potential exfiltration scenarios with querying outbound emails with large attachments 
EmailEvents 
| where EmailDirection == "Outbound" and AttachmentCount > 0 
| join EmailAttachmentInfo on NetworkMessageId, RecipientEmailAddress 
| where toint(FileSize) > 10000 

 

 

Read more about Advanced Hunting over here and learn about the schema for Email tables over here

 

To start hunting using these enhancements, turn on public preview features for Microsoft 365 Defender. Leave a comment below for thoughts and questions, or use the feedback button in the portal.

Posted at https://sl.advdat.com/3Dfslub