Agent Foskett Academy • Lesson 88 • Threat Hunting Investigation

Building an IOC Hunt in Microsoft Defender XDR.

One hash appeared on one device.

Then the same domain appeared in network telemetry.

One clue became an enterprise-wide hunt.

Agent Foskett followed the indicators.

Agent Foskett Academy lesson building an IOC hunt in Microsoft Defender XDR
Lesson overview

Learn how defenders build an IOC hunt by searching for malicious hashes, file names, IP addresses, domains, URLs, senders and accounts across Microsoft Defender XDR telemetry.

Hunt for malicious file hashes
Search domains, URLs and IP addresses
Pivot across endpoint, email and identity data
Summarise scope and affected systems

Why IOC hunting matters

Microsoft Defender XDR IOC hunting helps defenders move from one suspicious clue to an environment-wide scope question: where else did this indicator appear?
IOCs turn clues into scopeAn IOC can start as one hash, file name, IP address, domain, URL, sender or account. Hunting shows whether that clue appears elsewhere.
Scope changes the responseOne infected device is one response. Ten devices contacting the same domain changes containment, remediation and communication priorities.
Multiple tables tell the storyDeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents and UrlClickEvents help defenders follow indicators across endpoint and email activity.

The IOC hunt workflow

Agent Foskett investigates IOCs by starting with one indicator, expanding across Defender XDR telemetry and proving whether the same threat appears anywhere else.
1. What is the IOC?Start with the known indicator: hash, file name, IP address, domain, URL, sender, account or device name.
2. Where has it appeared?Search across endpoint, email, URL click, network and identity telemetry to determine environment-wide exposure.
3. Which devices are affected?Identify device names, user accounts, timestamps and related process activity connected to the indicator.
4. Did it execute?Use process and file telemetry to determine whether the IOC was only present or actively used.
5. Did it communicate externally?Use network telemetry to identify whether devices connected to IOC domains, URLs or IP addresses.
6. Was email involved?Search senders, subjects, URLs and clicked links to determine whether the indicator entered through email.
7. Are accounts involved?Search identity and logon data to identify accounts connected to the same indicator or compromised activity.
8. Can the hunt be proven?Document where the IOC appeared, what it did, what was affected and which follow-up actions are required.

Step 1 — Hunt for a known file hash

Start with a known SHA1 or SHA256 hash to determine whether the same file appeared on other devices.
step-1-file-hash-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let IocHash = "REPLACE_WITH_SHA256";
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 == IocHash or SHA1 == IocHash
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          FileName,
          FolderPath,
          SHA1,
          SHA256,
          InitiatingProcessFileName
| order by Timestamp desc

Step 2 — Hunt for suspicious file names and process execution

File names and command lines can help identify whether the same payload or script executed elsewhere.
step-2-file-name-process-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let SuspiciousFileNames = dynamic(["invoice.exe", "update.js", "payload.dll"]);
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ (SuspiciousFileNames)
   or ProcessCommandLine has_any (SuspiciousFileNames)
| project Timestamp,
          DeviceName,
          AccountUpn,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 3 — Hunt for suspicious domains and URLs

Domains and URLs often connect endpoint, email and click evidence across the investigation.
step-3-domain-url-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let IocDomains = dynamic(["example-bad-domain.com", "login-update.example"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (IocDomains)
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          InitiatingProcessFileName,
          RemoteUrl,
          RemoteIP
| order by Timestamp desc

Step 4 — Hunt for suspicious IP addresses

IP address hunting can reveal devices that connected to known malicious infrastructure.
step-4-ip-address-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let IocIPs = dynamic(["203.0.113.10", "198.51.100.25"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteIP in (IocIPs)
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          InitiatingProcessFileName,
          RemoteIP,
          RemotePort,
          ActionType
| order by Timestamp desc

Step 5 — Hunt through URL click evidence

UrlClickEvents helps determine whether users clicked links associated with the IOC and whether Safe Links recorded the interaction.
step-5-email-url-ioc-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let IocUrls = dynamic(["https://example-bad-domain.com/login"]);
UrlClickEvents
| where Timestamp > ago(30d)
| where Url has_any (IocUrls) or UrlChain has_any (IocUrls)
| project Timestamp,
          AccountUpn,
          Url,
          UrlChain,
          ActionType,
          IsClickedThrough,
          NetworkMessageId
| order by Timestamp desc

Step 6 — Summarise IOC hunt results

Summarising findings helps defenders turn raw IOC matches into scope, affected devices and follow-up actions.
step-6-summarise-ioc-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let IocDomain = "example-bad-domain.com";
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl contains IocDomain
| summarize FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp),
            Devices=dcount(DeviceName),
            DeviceList=make_set(DeviceName),
            Accounts=make_set(InitiatingProcessAccountUpn)
          by RemoteUrl
| order by Devices desc

How to read IOC hunt evidence

An IOC hunt is stronger when it shows where the indicator appeared, when it appeared, which device or account was involved and what happened next.
First seen mattersThe first time an IOC appears helps identify the likely start of exposure and where to begin the timeline.
Device and account context mattersIOC matches should always be reviewed with device, user, process and timestamp context.
Repeat sightings matterThe same hash, domain, URL or IP address appearing across multiple devices may indicate campaign activity or wider compromise.
Containment depends on scopeDefenders need to understand how broadly the IOC appeared before deciding containment, remediation and communication actions.

Real-world investigation

The first indicatorA suspicious file hash is found on one workstation during an endpoint investigation.
The expanded huntThe same hash appears on two additional devices, and a related domain appears in network telemetry.
The email connectionUrlClickEvents shows several users clicked a URL associated with the same domain.
The affected scopeThe investigation identifies affected devices, accounts, timestamps, URLs, domains and file hashes.
The conclusionThe IOC hunt proves the activity was not isolated and requires environment-wide remediation.
The responseAgent Foskett documents the scope, contains affected devices and uses the IOC list for follow-up hunting.

Investigation checklist

Hash searchedSearch SHA1 and SHA256 values across file and process telemetry.
File names searchedSearch suspicious file names and command-line references across process telemetry.
Network IOCs searchedSearch domains, URLs and IP addresses across device network activity.
Email and clicks searchedSearch EmailEvents and UrlClickEvents for related senders, URLs and click activity.
Accounts reviewedReview user accounts connected to IOC activity and suspicious logons.
Results summarisedSummarise first seen, last seen, affected devices, accounts and related indicators.

Related Agent Foskett Academy lessons

Investigating Persistence TechniquesUnderstand scheduled tasks, registry changes, services and attacker methods used to maintain access.
Investigating Credential TheftConnect stolen credentials and suspicious authentication activity to wider investigation scope.
Building a Device TimelineCorrelate process, network, file and logon activity into a device-level timeline.
Investigating Living Off The Land (LOLBins)Identify legitimate Windows tools abused by attackers during endpoint investigations.
Investigating PowerShell AttacksReview encoded commands, suspicious PowerShell execution and related endpoint evidence.
Investigating Ransomware BehaviourInvestigate encryption activity, mass file changes and suspicious processes.

Coming next

Lesson 89 — Building an Incident Timeline in Microsoft Defender XDRNext, Agent Foskett Academy turns IOC findings into a complete incident timeline, helping defenders explain what happened, when it happened and which systems were affected.
Why this mattersIOC hunts show where suspicious indicators appeared. Incident timelines show the full sequence of attacker behaviour and response actions.

Final thought

An IOC is not the whole incident. It is a clue that helps defenders find where the story continues.
Agent Foskett mindsetDo not stop at one indicator. Follow the hash, domain, URL, IP address, sender or account until the full scope is understood.
The indicator opened the huntOne IOC can reveal one device, one campaign or a wider compromise across the environment.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Building an IOC Hunt in Microsoft Defender XDR

Agent Foskett Academy Lesson 88 teaches defenders how to build an IOC hunt in Microsoft Defender XDR.

IOC hunt investigation workflow

This lesson explains how DeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents, UrlClickEvents and IdentityLogonEvents help defenders hunt for malicious hashes, file names, IP addresses, domains, URLs, senders and accounts across the environment.