This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 93%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
While running below query over Advance Hunting I got "An unexpected error occurred during query execution. Please try again in a few minutes."
I am not sure about the error but would like to understand why the error and how to resolve the same.
Query:
//Description:
//The query looks for several different MITRE techniques, grouped by risk level.
//A weighting is applied to each risk level and a total score calculated per machine
//Techniques can be added/removed as required
//
let weights = dynamic({"Low":1, "Medium":3, "High":5}); //Assign weights to the risk levels
//Low risk events
let lowRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "powershell.exe" and ProcessCommandLine has "-command") //T1086 PowerShell
or
(FileName =~ "powershell.exe" and ProcessCommandLine contains "-nop") //T1086 PowerShell
or
(FileName =~ "schtasks.exe" and ProcessCommandLine has "create") //T1053 Scheduled Task
or
(FileName =~ "installutil.exe") //T1118 InstallUtil
or
(FileName =~ "msbuild.exe") //T1127 Trusted Developer Utilities
or
(FileName =~ "nbtstat.exe") //T1016 System Network Configuration Discovery
or
(FileName == "mshta.exe") //T1170 Mshta
or
(FileName =~ "netsh.exe") //T1089 Disabling Security Tools, T1063 Security Software Discovery
or
(FileName == "net.exe" and ProcessCommandLine has " start ") //T1007 System Service Discovery
| extend Weight = toint((weights["Low"]));
//Medium risk events
let mediumRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "regsvcs.exe") //T1121 Regsvcs/Regasm
or
(FileName =~ "arp.exe" and ProcessCommandLine has "-a") //T1016 System Network Configuration Discovery
or
(FileName =~ "ipconfig.exe" and ProcessCommandLine has "all") //T1016 System Network Configuration Discovery
or
(FileName startswith "psexe") //T1035 Service Execution
or
(FileName == "net.exe" and ProcessCommandLine has " share ") //T1135 Network Share Discovery
or
(FileName =~ "netsh.exe" and ProcessCommandLine has "interface show") //T1016 System Network Configuration Discovery
| extend Weight = toint((weights["Medium"]));
//Higher risk events
let highRiskEvents =
DeviceProcessEvents
| where
(FileName =~ "net.exe" and ProcessCommandLine has "config") //T1016 System Network Configuration Discovery
or
(FileName =~ "net.exe" and ProcessCommandLine has "time") //T1124 System Time Discovery
or
(FileName =~ "w32tm.exe" and ProcessCommandLine has "/tz") //T1124 System Time Discovery
or
(FileName == "cmstp.exe") //T1191 CMSTP
or
(FileName =~ "netsh.exe" and (ProcessCommandLine has "portproxy" or ProcessCommandLine has "p")) //T1090 Connection Proxy
| extend Weight = toint((weights["High"]));
union kind=outer lowRiskEvents, mediumRiskEvents, highRiskEvents
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, Weight
| summarize Start_Time=min(Timestamp), End_Time=max(Timestamp), Weight_Sum=sum(Weight), Processes=makeset(FileName), Commands=makeset(ProcessCommandLine) by DeviceName
| where Weight_Sum > 30
| sort by Weight_Sum desc
Query Source: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
Thanks & Regards,
Pratik Pashte
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 75%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYE%3C/text%3E%3C/svg%3E)
Hi,
Microsoft Defender ATP is the product beyond support scope of tag windows-10-security (mainly discussing question about BitLocker, Windows Defender, Windows Firewall, and security technology for Windows 10). So, we manually removed the Windows-10-security tag.
Thank you for your understanding.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Since Microsoft Defender ATP has nothing to do with Microsoft Advanced Threat Analytics, we removed the ems-advanced-threat-analytics tag. Meanwhile, we think this is an Azure security related issue, and have added the azure-security-center tag.
@Pratik Pashte
Thanks for your post!
The GitHub link you posted, down at the bottom, you should be able to reach out to the developers who made this query by emailing - "wdatpqueriesfeedback@microsoft.com", you should also be able to create an issue on the repo itself, after clicking on the "issue page" link.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "mark as answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
@Pratik Pashte
I just wanted to check in and see if you were able to review my previous post.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "mark as answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.