splunk
MS Defender Advanced Hunting
Splunk Cloud
Overview
Details
This App can query MS Defender Advanced Hunting with their format.
Please feel free to contact me if you have any questions or requests.
Please feel free to contact me if you have any questions or requests.
Technical Add-on MS Defender Advanced Hunting
When updating from v0.1.x to v0.2.x, please re-setup the credentials
1. Overview
This App can use Advanced Hunting with their query format (KQL) through Microsoft Defender for Endpoint API.
Microsoft offers three APIs for Microsoft Defender Endpoint to use Advanced Hunting.
- Microsoft Defender for Endpoint
- Microsoft Defender XDR
- Microsoft Graph REST API
This app can automatically recognize which API endpoint you choose, and query it.
If two or three are used in a single app, this app will give priority to "Microsoft Defender for Endpoint".
Please refer this for more detail about the endpoint.
2. Installation
- Create an App on Microsoft Entra ID according to one of the following. I recommend to choose "Microsoft Graph REST API".
- Microsoft Defender for Endpoint
- Create an app to access Microsoft Defender for Endpoint without a user
- And add
AdvancedQuery.Read.Allpermission.
- Microsoft Defender XDR
- Create an app to access Microsoft Defender XDR without a user
- And add
AdvancedHunting.Read.Allpermission.
- Microsoft Graph REST API
- Get access without a user
- And add
ThreatHunting.Read.Allpermission.
- Microsoft Defender for Endpoint
- Keep a note your Directory (Tenant) ID, Application (Client) ID and Client Secret of your Azure App.
- Go to Splunk Configuration page.
- App -> Configuration -> Account Settings
- Set a unique credential name, Directory (Tenant) ID, Application (Client) ID and Client Secret you got previous step.
2.1 Account Settings
- Description of the Account Settings page
| Label | Description |
|---|---|
| Account name | Required. Set unique name for this credential. |
| Client ID | Required. Set Application (Client) ID. |
| Client Secret | Required. Set Client Secret. |
| Tenant ID | Required. Set Directory (Tenant) ID. |
| Default Credential | Optional. If checked, this app use this credentail as default. |
| Request read timeout (in seconds) | Optional. This means the read timeout for API request. Default value is 60s. |
| Request connection timeout (in seconds) | Optional. This means the connection timeout for API request. Default value is 10s. |
| Request retry num | Optional. This means the number of retry for API request when API returns server error. Default value is 0. |
3. Usage
| Command | Type | Description |
|---|---|---|
| advhunt | Generating Command | Fetch data using Advanced Hunting query |
3.1 advhunt command
- Returns a list of query results that you set your Advanced Hunting query.
| Options | Description |
|---|---|
| query | Required. Set your Advanced Hunting Query |
| renew | Optional. If it set as "True", this app will force to update an access token. |
| cred | Optional. Set the unique credential name you want to use. - Not set: use the default credential which is checked in setup page. - Single value: use the specified value. e.g. cred="cred1" - Multi value: use the specified comma separated value. e.g. cred="cred1,cred2" - set all: use all credentials. e.g. cred="all" |
- Example 1
- If you want to search the word contains
\, please use\\\\\\\or\\\x5cin SPL.
- If you want to search the word contains
| advhunt query="DeviceFileEvents
| where Timestamp > ago(1d)
| where FolderPath matches regex 'C:\\\x5cUsers' or FolderPath matches regex 'C:\\\\\\\Users'
| project Timestamp, DeviceId, DeviceName, ActionType, FolderPath, FileName"
| spath input=_raw
- Example 2
- Force to renew the access token.
| advhunt renew=True query="AlertInfo
| where Timestamp > ago(3d)
| limit 2"
| spath input=_raw
- Example 3
- Query an advanced hunting using the result of the previous SPL
| makeresults
| eval ActionType = "AntivirusReport,HogeReport"
| makemv delim="," ActionType
| mvexpand ActionType
| mvcombine ActionType
| eval query = "('" . mvjoin(ActionType, "', '") . "')"
| map search="| advhunt query=\"DeviceEvents | where ActionType has_any $query$ \" | spath input=_raw | table * "
- Example 4
- Query to multiple tenants.
- If you have multi tenants and want to query againt them, you can use this option.
- Please set each credentail in setup page and use the name in
cred="<here>"
- Please set each credentail in setup page and use the name in
| advhunt cred="tenant1_cred,tenant2_cred" query="AlertInfo"
- Example 5
- use subserach pattern.
| advhunt [| makeresults
| eval query = "DeviceFileEvents
| where Timestamp > ago(1d)
| limit 1"
| return query ]
| spath
4. Note
Required privileges
- To use this app, users need following privileges.
- list_storage_passwords
- admin_all_objects
- If you don't want to grant the user "admin_all_objects", there are three workarounds:
- Update local.meta and grant the user "edit_storage_passwords".
- Contents to add to local.meta
[passwords] access = read : [*], write : [*]
- Contents to add to local.meta
- Create a report to update an access token for Microsoft Endpoint in passwords.conf by the user who has "admin_all_objects" every 30 minutes. This allows normal users to simply use the current valid access token in passwords.conf and it's enough for the normal user to grant only list_storage_passwords.
- Just stop to grant the user "admin_all_objects" and do nothing. In this case, this app try to communicate with Microsoft for getting new access token in every advhunt command. This makes the command run slower.
- Update local.meta and grant the user "edit_storage_passwords".
Differences between each Endpoint
- If you choose "Microsoft Defender for Endpoint", you can't query againt some schema.
- ex. AlertInfo, AlertEvidence
Restriction of Microsoft Endpoint
- Limitation, Quotas and resource allocation of API
- Microsoft Defender for Endpoint Advanced hunting API
- Microsoft Defender XDR Advanced hunting API
- Use the Microsoft Graph security API
5. Debug
- Please check the internal log.
index=_internal source="*advanced_hunting*" NOT "__init__"
6. Relase History
v0.2.1
- Add retry and timeout settings for API request
v0.2
- Change setting GUI, password and config architecture. This change affected existing config file.
- Add Graph API capability
- fix bug
v0.1.2-0.1.3
- Update splunk sdk
v0.1.1
- Fix for the cloud compatibility check
v0.1.0
- This is a miner version up.
- Fix to be able to query for multiple tenants using cred option.
- Caution: This version does not have backward compatibility. Please set your credential again.
Release Notes
Version 0.2.4
April 18, 2025
- Fixed a bug ( retry didn't work in POST request)
Version 0.2.3
March 25, 2025
When updating from v0.1.x to v0.2, please re-setup the credentials
- Migrated from AOB to UCC
- Refactored
- Fixed libraries
- Fixed bugs (NoneType of storage_passwords and session token expired error in getting log level)
Version 0.2.1
March 9, 2025
When updating from v0.1.x to v0.2, please re-setup the credentials
- Add retry and timeout settings for API
Version 0.2.0
Feb. 27, 2025
- Please re-setup your credentials
- Change setting GUI, password and config architecture. This change affected existing config file.
- Add Graph API capability
Version 0.1.3
Dec. 15, 2024
Update Splunk SDK
Version 0.1.1
April 18, 2025
Fix for the cloud compatibility check
Version 0.0.9
Sept. 14, 2022
- Fix error for Splunk Cloud
- Add python version to commands.conf
- Change logging format.
Version 0.0.8
Sept. 10, 2022
Delete a comment for Splunk Cloud environment, which cause an error.
Version 0.0.7
Aug. 16, 2022
Fix timestamp format error.
Version 0.0.6
July 4, 2022
Changed to automatically recognize plans.