ContraForce has features dedicated to threat hunting. This article will provide a starting point for how to use these pages along with example queries.
Overview
Within ContraForce, users have access to the Sentinel Advanced Threat Hunting page and the Defender XDR Advanced Threat Hunting page. These dedicated pages enable users to construct and run queries to dig deeper into data within a workspace.
Module Features
If a tenant has onboarded the ContraForce XDR module, users will only be able to access the Defender XDR Advanced Threat Hunting page. However, if the XDR + SIEM module has been onboarded, users will gain access to both the Sentinel Advanced Threat Hunting page and the Defender XDR Advanced Threat Hunting page.
What if I don't know how to write queries?
If you're unfamiliar with writing queries in KQL, Microsoft offers numerous free courses to help users learn how to create KQL queries. Additionally, there are many open-source GitHub repositories available that contain queries to give users a solid starting point when beginning to use KQL.
A few popular GitHub repos have been linked below.
Bert-Jan/Hunting Queries & Detection Rules
cyb3rmik3 KQL Threat Hunting Queries
Sentinel Advanced Threat Hunting
The screenshot above shows the results of a very simple OfficeActivity query that was ran within a log analytics workspace. As the user inputs their query, suggesstions will be shown within the text box.
Additionally, the user can change between workspaces by clicking on the dropdown arrow near the log analytics workspace name. The workspace currently selected will be highlighted in blue.
The Workspace Schema can be expanded by clicking the dropdown arrow to show additional parameters that can be queried within the Threat Hunting Page. Additionally, the Workspace Schema tab can be collapsed.
Considerations
Note that if a workspace has not consented the ContraForce Sentinel Hunting service principal, the Sentinel Hunting page will not be enabled for that workspace and an error message will be shown. This service principal can be consented within the Settings page.
Similarly, if ContraForce Microsoft Defender XDR service principal has not been consented, an error message will be shown. This service principal can be consented within the Settings page.
Additionally, the workspace schema changes between Sentinel and Defender XDR. This means that queries used in Sentinel will not function in the Defender XDR Advanced Threat Hunting page. In the two repo's linked at the beginning of this article, a Defender alternative is often provided for many of the Sentinel queries.
If you have any questions about this article, please feel free to contact support@contraforce.com.