Cheat sheets can be handy for penetration testers, security analysts, and for many other technical roles. They provide best practices, shortcuts, and other ideas that save defenders a lot of time. They are especially helpful when working with tools that require special knowledge like advanced hunting because:
The required syntax can be unfamiliar, complex, and difficult to remember.
Often someone else has already thought about the same problems we want to solve and has written elegant solutions.
We can use some inspiration and guidance, especially when just starting to learn a new programming or query language.
Examples of the most frequently used cases and queries can help us quickly understand both the problem space and the solution.
In the area of Digital Forensics Incident Response (DFIR), there are some great existing cheat sheets. Many of them are bookmarked or, in some cases, printed and hanging somewhere in the Security Operations Center (SOC).
Recently, several Microsoft employees and security analysts from large enterprise customers and partners came together to work on a community project to build the very first cheat sheet for advanced hunting in Microsoft Threat Protection. To get it done, we had the support and talent of Marcus Bakker, Maarten Goet, Pawel Partyka, Michael Melone, Tali Ash,and Milad Aslaner.
You can get the cheat sheet in light and dark themes in the links below:
Microsoft Threat Protection’s advanced hunting community is continuously growing, and we are excited to see that more and more security analysts and threat hunters are actively sharing their queries in the public repository on GitHub. This GitHub repo provides access to many frequently used advanced hunting queries across Microsoft Threat Protection capabilities as well as new exciting projects like Jupyter Notebook examples and now the advanced hunting cheat sheet.
You can explore and get all the queries in the cheat sheet from the GitHub repository.
For more information about advanced hunting and Kusto Query Language (KQL), go to: