Zeek and Defender Endpoint
Windows Defender has had Zeek built into it since October 2022, and it comes in handy with remote workforces when trying to do Incident response. Initially released, it only supported a few protocols, but now it supports 7. Please run the following query to get the latest list of what Zeek protocols it supports.
DeviceNetworkEvents
| where ActionType contains 'ConnectionInspected'
| distinct ActionType
DnsConnectionInspected
SslConnectionInspected
HttpConnectionInspected
IcmpConnectionInspected
SshConnectionInspected
SmtpConnectionInspected
FtpConnectionInspected
The bro data is in the "AdditionalFields" section for HTTP queries. Here is what is currently available to query.
direction
host
method
request_body_len
response_body_len
status_code
tags
trans_depth
uri
User_agent
version
A simple query to get just all POST methods and get a feel for how it works.
DeviceNetworkEvents
| where ActionType == 'HttpConnectionInspected' and AdditionalFields contains "POST"
Quick Scenario
A device named ClickHappy got a phishing email that went to IP 1.2.3.4, and the web form is an HTTP post. The user was off the corporate network then, so you do not have your typical network monitoring stack to rely on. You can query Defender if they sent a POST to the website.
DeviceNetworkEvents
| where ActionType == 'HttpConnectionInspected' and AdditionalFields contains "POST" and DeviceName contains "Clickhappy" and RemoteIP == "1.2.3.4"
If you got a result for the query, the user likely fell for the attack.
The additional fields are in JSON; to search very specifically, use this format. In this case, Im looking for user agent "gSOAP/2.7".
DeviceNetworkEvents
| where Timestamp > ago(1h) and ActionType == "HttpConnectionInspected"
| extend json = todynamic(AdditionalFields)
| extend user_agent = tostring(json.user_agent)
| where user_agent == "gSOAP/2.7"
There are many great hunts people are already using for Zeek data with SecurityOnion, and all of these still apply to this data set too. You can also pull in external data and run queries against that data. In this case, we are grabbing a data feed with a list of malicious user agents and querying the last 5 days of data.
let bad_useragent = (externaldata(useragent_list: string)
[@"https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list"]
with (format= "txt"))
| project useragent_list;
bad_useragent
| join (DeviceNetworkEvents
| where Timestamp > ago(5d) and ActionType == "HttpConnectionInspected"
| extend json = todynamic(AdditionalFields)
| extend user_agent = tostring(json.user_agent)
)on $left.useragent_list == $right.user_agent
For DNS queries here are the query options.
direction
trans_id
rtt
query
qclass
qclass_name
qtype
qtype_name
rcode
uid
rcode_name
AA
TC
RD
RA
answers
TTLs
rejected
ts
To query DNS names, use the below query.
DeviceNetworkEvents
| where ActionType == 'DnsConnectionInspected'
| extend json = todynamic(AdditionalFields)
| extend query = tostring(json.query)
| where query == "download.windowsupdate.com"
MS has some great articles covering other queries and valuable things, so you should check them out below.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enrich-your-advanced-hunting-experience-using-network-layer/ba-p/3794693
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-network-signatures-in-microsoft-defender-for/ba-p/3429520
Comments