How to view ALL my Microsoft Graph Security Detections

9 Jun 2022

How to view ALL my Microsoft Graph Security Detections

For folks that have joined the MTR Connector EAP and enabled the MS Graph Security connector I wanted to provide a simple set of instructions for how you can view all your detections.

More detailed queries are available in the query section, but for a quick look at what the MTR team is now able to see I have the instructions below.

Simply log into central and navigate to the Threat Analysis Center

Then to Live Discover

Turn on Designer Mode

Select Create new query

This will be a data lake query so select that modal

Now paste in the following SQL Code

Fullscreen

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SELECT 
   id,
   event_date_time,
   severity,
   CASE severity WHEN 'HIGH' THEN 5 WHEN 'MEDIUM' THEN 3 ELSE 1 END Sophos_Risk_Score,
   category, 
   status,
   title,
   description,
   processes,
   recommended_actions,
   incident_ids,
   malware_states,
   host_states,
   user_states,
   network_connections,
   registry_key_states,
   vulnerability_states,
   cloud_app_states,    
   additional_fields,
   security_resources,
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

SELECT 
   id,
   event_date_time,
   severity,
   CASE severity WHEN 'HIGH' THEN 5 WHEN 'MEDIUM' THEN 3 ELSE 1 END Sophos_Risk_Score,
   category, 
   status,
   title,
   description,
   processes,
   recommended_actions,
   incident_ids,
   malware_states,
   host_states,
   user_states,
   network_connections,
   registry_key_states,
   vulnerability_states,
   cloud_app_states,	
   additional_fields,
   security_resources,
   source_materials,

   '--------------' "Additional_fields-->",
   activity_group_name,
   assigned_to	azure_subscription_id,
   azure_tenant_id,
--   category,
   closed_date_time,
--   cloud_app_states,	
   comments,
   confidence,
   created_date_time,
--   description,
   detection_ids,
--   event_date_time,
--   feedback	file_states,
--   host_states,
--   id,
   incident_ids,
   last_modified_date_time,
--   malware_states,
--   network_connections,
--   processes,
--   recommended_actions,
--   registry_key_states,
--   security_resources,
--   severity,
--   source_materials,
--   status,
   tags,
--   title,
   triggers,
--   user_states,
   vendor_information,
--   vulnerability_states,
   message_identifier,
   customer_id,
   ingestion_timestamp,
   sensor_id,
   sensor,
   sensor_version,
   schema_version,
   record_size,
--   additional_fields,
   customer_bucket,
   ingest_date
FROM mdr_ms_graph_api_data
ORDER BY category ASC, Sophos_Risk_Score DESC, event_date_time DESC

And then select RUN

The results of the query should take a few seconds and you will see a list of all detections

This summer we will be updating central to automatically show the detection in the the main detections dashboard. For now know that these detections are reaching the MTR Security team and we are evaluating if an investigation is warranted given the alert information.

Thanks

Karl