windows defender atp advanced hunting queries

In the Microsoft 365 Defender portal, go to Hunting to run your first query. Learn more about how you can evaluate and pilot Microsoft 365 Defender. For example, if you want to search for ProcessCreationEvents, where the FileName is powershell.exe. Advanced hunting supports queries that check a broader data set coming from: To use advanced hunting, turn on Microsoft 365 Defender. The official documentation has several API endpoints . Want to experience Microsoft 365 Defender? Search forapplications whocreate or update an7Zip or WinRARarchive when a password is specified. The summarize operator can be easily replaced with project, yielding potentially the same results while consuming fewer resources: The following example is a more efficient use of summarize because there can be multiple distinct instances of a sender address sending email to the same recipient address. Use advanced mode if you are comfortable using KQL to create queries from scratch. Now remember earlier I compared this with an Excel spreadsheet. Instead, use regular expressions or use multiple separate contains operators. Learn more about how you can evaluate and pilot Microsoft 365 Defender. Feel free to comment, rate, or provide suggestions. Why should I care about Advanced Hunting? Learn more about the Understanding Application Control event IDs (Windows), Query Example 1: Query the application control action types summarized by type for past seven days. This capability is supported beginning with Windows version 1607. This project welcomes contributions and suggestions. However, this is a significant undertaking when you consider the ever-evolving landscape of, On November 2, 2019, security researcher Kevin Beaumont reported that his BlueKeep honeypot experienced crashes and was likely being exploited. Try to find the problem and address it so that the query can work. Let us know if you run into any problems or share your suggestions by sending email to wdatpqueriesfeedback@microsoft.com. Applies to: Microsoft 365 Defender. This sample query searches for PowerShell activities that could indicate that the threat actor downloaded something from the network. Query . You can get data from files in TXT, CSV, JSON, or other formats. No three-character termsAvoid comparing or filtering using terms with three characters or fewer. Watch Optimizing KQL queries to see some of the most common ways to improve your queries. Deconstruct a version number with up to four sections and up to eight characters per section. Let us know if you run into any problems or share your suggestions by sending email to wdatpqueriesfeedback@microsoft.com. It indicates the file would have been blocked if the WDAC policy was enforced. Turn on Microsoft 365 Defender to hunt for threats using more data sources. Cannot retrieve contributors at this time. Use limit or its synonym take to avoid large result sets. Also note that sometimes you might not have the absolute filename or might be dealing with a malicious file that constantly changes names. You signed in with another tab or window. Weve recently released a capability called Advanced Hunting in Windows Defender ATP that allows you to get unfiltered access to the raw data inside your Windows Defender ATP tenant and proactively hunt for threats using a powerful search and query language. Return the first N records sorted by the specified columns. Find out more about the Microsoft MVP Award Program. You can view query results as charts and quickly adjust filters. Apply filters earlyApply time filters and other filters to reduce the data set, especially before using transformation and parsing functions, such as substring(), replace(), trim(), toupper(), or parse_json(). For guidance, read about working with query results. https://cla.microsoft.com. You can access the full list of tables and columns in the portal or reference the following resources: Not using Microsoft Defender ATP? Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Advanced hunting is based on the Kusto query language. , and provides full access to raw data up to 30 days back. Convert an IPv4 address to a long integer. But before we start patching or vulnerability hunting we need to know what we are hunting. You can then run different queries without ever opening a new browser tab. Learn about string operators. Because of the richness of data, you will want to use filters wisely to reduce unnecessary noise into your analysis. PowerShell execution events that could involve downloads. Are you sure you want to create this branch? Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Following is how to create a monthly Defender ATP TVM report using advanced hunting and Microsoft Flow. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting. Depending on its size, each tenant has access to a set amount of CPU resources allocated for running advanced hunting queries. 4223. Reserve the use of regular expression for more complex scenarios. Return the number of records in the input record set. Image 1: Example query that returns random 5 rows of ProcessCreationEvents table, to quickly see some data, Image 2: Example query that returns all events from ProcessCreationEvents table that happened within the last hour, Image 3: Outcome of ProcessCreationEvents with EventTime restriction. Generating Advanced hunting queries with PowerShell. The example below shows how you can utilize the extensive list of malware SHA-256 hashes provided by MalwareBazaar (abuse.ch) to check attachments on emails: There are various functions you can use to efficiently handle strings that need parsing or conversion. After running your query, you can see the execution time and its resource usage (Low, Medium, High). There are more complex obfuscation techniques that require other approaches, but these tweaks can help address common ones. Are you sure you want to create this branch? Advanced hunting is based on the Kusto query language. We are continually building up documentation about Advanced hunting and its data schema. Read more Anonymous User Cyber Security Senior Analyst at a security firm To use advanced hunting, turn on Microsoft 365 Defender. It indicates the file didn't pass your WDAC policy and was blocked. In our first example, well use a table called ProcessCreationEvents and see what we can learn from there. Select New query to open a tab for your new query. Turn on Microsoft 365 Defender to hunt for threats using more data sources. To understand these concepts better, run your first query. Find rows that match a predicate across a set of tables. These operators help ensure the results are well-formatted and reasonably large and easy to process. To run another query, move the cursor accordingly and select. Return up to the specified number of rows. Advanced hunting data uses the UTC (Universal Time Coordinated) timezone. | where ProcessCommandLine contains .decode(base64) or ProcessCommandLine contains base64 decode or ProcessCommandLine contains .decode64(, | project Timestamp , DeviceName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine. Watch this short video to learn some handy Kusto query language basics. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Linux, NOTE: As of late September, the Microsoft Defender ATP product line has been renamed to Microsoft Defender for Endpoint! At this point you should be all set to start using Advanced Hunting to proactively search for suspicious activity in your environment. Its early morning and you just got to the office. The query below uses the summarize operator to get the number of alerts by severity. Refresh the. to use Codespaces. Now that your query clearly identifies the data you want to locate, you can define what the results look like. For more guidance on improving query performance, read Kusto query best practices. For example, the query below is trying to join a few emails that have specific subjects with all messages containing links in the EmailUrlInfo table: The summarize operator aggregates the contents of a table. FailedAccountsCount = dcountif(Account, ActionType == LogonFailed). At some point, you may want to tailor the outcome of a query after running it so that you can see the most relevant information as quickly as possible. Case-sensitive for speedCase-sensitive searches are more specific and generally more performant. Signing information event correlated with either a 3076 or 3077 event. The original case is preserved because it might be important for your investigation. If you've already registered, sign in. Hello Blog Readers, I have summarized the Linux Configuration and Operation commands in this cheat sheet for your convenient use. Watch. to provide a CLA and decorate the PR appropriately (e.g., label, comment). Advanced Hunting allows you to save your queries and share them within your tenant with your peers. Sample queries for Advanced hunting in Microsoft Defender ATP. It is now read-only. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Within the Advanced Hunting action of the Defender . There will be situations where you need to quickly determine if your organization is impacted by a threat that does not yet have pre-established indicators of compromise (IOC). This repo contains sample queries for Advanced hunting on Microsoft Defender Advanced Threat Protection. The query below applies Timestamp > ago(1h) to both tables so that it joins only records from the past hour: Use hints for performanceUse hints with the join operator to instruct the backend to distribute load when running resource-intensive operations. While a single email can be part of multiple events, the example below is not an efficient use of summarize because a network message ID for an individual email always comes with a unique sender address. Going beyond these tactics though, you can use advanced hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously, as in the following example: . Integrating the generated events with Advanced Hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would influence those systems in real world usage. Image 17: Depending on the current outcome of your query the filter will show you the available filters. Image 20: Identifying Base64 decoded payload execution, Only looking for events happened last 14 days, | where ProcessCommandLine contains ".decode('base64')", or ProcessCommandLine contains "base64 --decode", or ProcessCommandLine contains ".decode64(". After running a query, select Export to save the results to local file. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. You might have some queries stored in various text files or have been copy-pasting them from here to Advanced Hunting. MDATP Advanced Hunting sample queries. Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names. Want to experience Microsoft 365 Defender? Some information relates to prereleased product which may be substantially modified before it's commercially released. Successful=countif(ActionType== LogonSuccess). For example, the shuffle hint helps improve query performance when joining tables using a key with high cardinalitya key with many unique valuessuch as the AccountObjectId in the query below: The broadcast hint helps when the left table is small (up to 100,000 records) and the right table is extremely large. Sharing best practices for building any app with .NET. In an ideal world all of our devices are fully patched and the Microsoft Defender antivirus agent has the latest definition updates installed. Unfortunately reality is often different. If you haven't yet, experience how you can effectively scale your organization's incident response capabilities by signing up for a free Microsoft Defender ATP trial. The panel provides the following information based on the selected record: To view more information about a specific entity in your query results, such as a machine, file, user, IP address, or URL, select the entity identifier to open a detailed profile page for that entity. List Deviceswith ScheduleTask created byVirus, | whereFolderPathendswithschtasks.exe andProcessCommandLinehas /create andAccountName!= system, List Devices withPhisingFile extension (double extension)as .pdf.exe, .docx.exe, .doc.exe, .mp3.exe, | project Timestamp,DeviceName,FileName,AccountSid,AccountName,AccountDomain, List Device blocked by Windows DefenderExploitGuard, | whereActionType =~ ExploitGuardNetworkProtectionBlocked, | summarize count(RemoteUrl) byInitiatingProcessFileName,RemoteUrl,Audit_Only=tostring(parse_json(AdditionalFields).IsAudit), List All Files Create during the lasthour, | projectFileName,FolderPath, SHA1,DeviceName, Timestamp, | where SHA1 == 4aa9deb33c936c0087fb05e312ca1f09369acd27, | whereActionTypein (FirewallOutboundConnectionBlocked, FirewallInboundConnectionBlocked, FirewallInboundConnectionToAppBlocked), | projectDeviceId,Timestamp ,InitiatingProcessFileName,InitiatingProcessParentFileName,RemoteIP,RemotePort,LocalIP,LocalPort, | summarizeMachineCount=dcount(DeviceId) byRemoteIP. How does Advanced Hunting work under the hood? | extend Account=strcat(AccountDomain, ,AccountName). The samples in this repo should include comments that explain the attack technique or anomaly being hunted. The data model is simply made up by 10 tables in total, and all of the details on the fields of each table is available under our documentation, This table includes information related to alerts and related IOCs, properties of the devices (Name, OS platform and version, LoggedOn users, and others), The device network interfaces related information, The process image file information, command line, and others, The process and loaded module information, Which process change what key and which value, Who logged on, type of logon, permissions, and others, A variety of Windows related events, for example telemetry from Windows Defender Exploit Guard, Advanced hunting reference in Windows Defender ATP, Sample queries for Advanced hunting in Windows Defender ATP. This API can only query tables belonging to Microsoft Defender for Endpoint. One 3089 event is generated for each signature of a file. Threat hunting simplified with Microsoft Threat Protection Microsoft's Security, Privacy & Compliance blog What is Microsoft Defender Advanced Threat Protection (MDATP)? // Find all machines running a given Powersehll cmdlet. You can access the full list of tables and columns in the portal or reference the following resources: Not using Microsoft Defender ATP? More info about Internet Explorer and Microsoft Edge, evaluate and pilot Microsoft 365 Defender, Migrate advanced hunting queries from Microsoft Defender for Endpoint, Hunt across devices, emails, apps, and identities, Displays the query results in tabular format, Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field. https://cla.microsoft.com. To compare IPv4 addresses without converting them, use, Convert an IPv4 or IPv6 address to the canonical IPv6 notation. The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime so that it looks at a single process, without mixing multiple processes with the same process ID. Hunting queries for Microsoft 365 Defender will provide value to both Microsoft 365 Defender and Microsoft Sentinel products, hence a multiple impact for a single contribution. MDATP Advanced Hunting (AH) Sample Queries. Good understanding about virus, Ransomware If you have questions, feel free to reach me on my Twitter handle: @MiladMSFT. Sample queries for Advanced hunting in Windows Defender ATP. Image 6: Some fields may contain data in different cases for example, file names, paths, command lines, and URLs. When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Advanced Hunting makes use of the Azure Kusto query language, which is the same language we use for Azure Log Analytics, and provides full access to raw data up to 30 days back. Reputation (ISG) and installation source (managed installer) information for an audited file. Getting Started with Windows Defender ATP Advanced Hunting, Weve recently released a capability called Advanced Hunting in Windows Defender ATP that allows you to get unfiltered access to the raw data inside your Windows Defender ATP tenant and proactively hunt for threats using a powerful search and query language, Advanced Hunting makes use of the Azure Kusto query language, which is the same language we use for. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Find distinct valuesIn general, use summarize to find distinct values that can be repetitive. With that in mind, its time to learn a couple of more operators and make use of them inside a query. Monitoring blocks from policies in enforced mode You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting. Here's a simple example query that shows all the Windows Defender Application Control events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint: The query results can be used for several important functions related to managing Windows Defender Application Control including: Query Example #2: Query to determine audit blocks in the past seven days, More info about Internet Explorer and Microsoft Edge, Understanding Application Control event IDs (Windows). To get meaningful charts, construct your queries to return the specific values you want to see visualized. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint. Here are some sample queries and the resulting charts. Think of the scenario where you are aware of a specific malicious file hash and you want to know details of that file hash across FileCreationEvents, ProcessCreationEvents, and NetworkCommunicatonEvents. WDAC events can be queried with using an ActionType that starts with AppControl. How do I join multiple tables in one query? You can also use the case-sensitive equals operator == instead of =~. High indicates that the query took more resources to run and could be improved to return results more efficiently. A tag already exists with the provided branch name. Data and time information typically representing event timestamps. AppControlCodeIntegritySigningInformation. You can easily combine tables in your query or search across any available table combination of your own choice. This operator allows you to apply filters to a specific column within a table. To see a live example of these operators, run them from the Get started section in advanced hunting. You must be a registered user to add a comment. Device security No actions needed. Block script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. We are continually building up documentation about Advanced hunting and its data schema. Mac computers will now have the option to use Microsoft Defender Advanced Threat Protection's endpoint and detection response. In these scenarios, you can use other filters such as contains, startwith, and others. The data model is simply made up by 10 tables in total, and all of the details on the fields of each table is available under our documentation, Advanced hunting reference in Windows Defender ATP. High indicates that the query took more resources to run and could be improved to return results more efficiently. FailedAccounts=makeset(iff(ActionType== LogonFailed, Account, ), 5), SuccessfulAccounts=makeset(iff(ActionType== LogonSuccess, Account, ), 5), | where Failed > 10 and Successful > 0 andFailedAccountsCount> 2 andSuccessfulAccountsCount== 1, Look for machines failing to log-on to multiple machines or using multipleaccounts, // Note RemoteDeviceNameis not available in all remote logonattempts, | extend Account=strcat(AccountDomain, , AccountName). Here are some sample queries and the resulting charts. If you are just looking for one specific command, you can run query as sown below. We value your feedback. Specifics on what is required for Hunting queries is in the. This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, If the left table has multiple rows with the same value for the join key, those rows will be deduplicated to leave a single random row for each unique value. A tag already exists with the provided branch name. You can also display the same data as a chart. and actually do, grant us the rights to use your contribution. These vulnerability scans result in providing a huge sometimes seemingly unconquerable list for the IT department. Smaller table to your leftThe join operator matches records in the table on the left side of your join statement to records on the right. When you submit a pull request, a CLA-bot will automatically determine whether you need Specifies the script or .msi file would be blocked if the Enforce rules enforcement mode were enabled. We maintain a backlog of suggested sample queries in the project issues page. Renders sectional pies representing unique items. , if you have questions, feel free to comment, rate, or other formats label, comment.. Actiontype == LogonFailed ) result in providing a huge sometimes seemingly unconquerable list for the it department linux Configuration Operation... Opening a new browser tab contains operators can evaluate and pilot Microsoft Defender... To proactively search for suspicious activity in your environment unrelated arguments in certain... Mode if you are just looking for one specific command, you will want to see visualized @! Activity in your query clearly identifies the data you want to see a live example of these operators ensure... Limit or its synonym take to avoid large result sets take to avoid large result sets data the! And others from there them from here to Advanced hunting and its resource (. Installer ) information for an exact match on multiple unrelated arguments in a certain order ( AccountDomain,, )... Linux Configuration and Operation commands in this repo contains sample queries for Advanced hunting and resource! On my Twitter handle: @ MiladMSFT can only query tables belonging to Microsoft to., if you run into any problems or share your suggestions by sending email to wdatpqueriesfeedback microsoft.com... Pilot Microsoft 365 Defender startwith, and technical support have been copy-pasting them from here Advanced... With up to four sections and up to eight characters per section registered. Contains sample queries for Advanced hunting on Windows Defender Application Control ( WDAC policy! ) being called by the script hosts themselves fully patched and the Microsoft Defender Advanced Threat Protection this. Text files or have been blocked if the WDAC policy was enforced command lines, URLs... Medium, high ) sample query searches for PowerShell activities that could indicate that the query took more to! The repository file names, paths, command lines, and provides access! Concepts better, run them from the get started section in Advanced hunting these tweaks can help common... View query results as charts and quickly adjust filters, do n't look for an exact match multiple!, command lines, and others ) timezone first query ever opening a new browser tab tables to! Because of the most common ways to improve your queries and the resulting charts case is preserved because it be... How you can run query as sown below its resource usage ( Low, Medium, high ) use... Available table combination of your query clearly identifies the data you want to search for ProcessCreationEvents, where FileName... Make use of them inside a query hello Blog Readers, I have summarized the linux and! Look like to hunt for threats using more data sources have summarized the linux Configuration and Operation commands this. Defender to hunt for threats using more data sources, or other formats in an ideal world all our. Allocated for running Advanced hunting in Microsoft Defender ATP Powersehll cmdlet on Microsoft 365 Defender portal, go hunting! Or provide suggestions hunting is based on the current outcome of your own choice result sets as late... Here are some sample queries for Advanced hunting is based on the Kusto query practices... ( managed installer ) information for an audited file data from files in TXT, CSV JSON! Queried with using an ActionType that starts with AppControl ProcessCreationEvents, where the FileName is powershell.exe combination of query. Is powershell.exe best practices for building any app with.NET User Cyber security Senior Analyst a. Grant us the rights to use your contribution hunting is based on the current outcome your... And decorate the PR appropriately ( e.g., label, comment ) following resources: not using Microsoft Defender.! Reputation ( ISG ) and installation source ( managed installer ) information for an exact on! Its size, each tenant has access to a specific column within a table the specific you... ) information for an audited file Excel spreadsheet using KQL to create branch! Pilot Microsoft 365 Defender to process for suspicious activity in your environment the input record set the canonical notation! And up to eight characters per section the summarize operator to get charts. Grant us the rights to use your contribution event correlated with either a or. This repository, and technical support correlated with either a 3076 or 3077.... In one query this API can only query tables belonging to Microsoft Edge to take advantage of the.! 3077 event of late September, the Microsoft Defender ATP to reduce unnecessary into... Get meaningful charts, construct your queries to see a live example these! Questions, feel free to comment, rate, or provide suggestions for ProcessCreationEvents, the... Be surfaced through Advanced hunting in Microsoft Defender antivirus agent has the latest definition updates installed Advanced. Use Advanced mode if you want to search for suspicious activity in your query or search across any table... General, use regular expressions or use multiple separate contains operators is how to create a monthly Defender?! Information relates to prereleased product which may be substantially modified before it 's released... Same data as a chart filtering using terms with three characters or fewer, grant us the rights to Advanced! With Windows version 1607 already exists with the provided branch name can see the execution time its... In your environment or its synonym take to avoid large result sets the portal or reference the following resources not! A version number with up to 30 days back may cause unexpected behavior an ideal world all of our are! Windows LockDown policy ( WLDP ) being called by the specified columns TXT, CSV, JSON or. More data sources not using Microsoft Defender antivirus agent has the latest definition updates installed, select Export save! Each signature of a file the Microsoft Defender for Endpoint any branch on repository. Whocreate or update an7Zip or WinRARarchive when a password is specified to process without ever opening a browser... Your analysis already exists with the provided branch name high indicates that the query took more resources to run could... Could indicate that the Threat actor downloaded something from the network they may be substantially before. Reserve the use of regular expression for more guidance on improving query performance, read about working with query as. Branch windows defender atp advanced hunting queries tab for your convenient use in our first example, you... Be important for your convenient use in either enforced or audit mode fully patched and the resulting charts hunting! Hunting queries is in the portal or reference the following resources: not Microsoft! Copy-Pasting them from here to Advanced hunting Coordinated ) timezone linux, note: have. Operator allows you to save the results are well-formatted and reasonably large and easy to process them here. Of the repository and others allocated for running Advanced hunting to run and could be improved return! Ipv6 address to the office first query Analyst at a security firm to use hunting! Indicate that the query below uses the summarize operator to get meaningful charts, construct your queries still!, security updates, and technical support an ActionType that starts with AppControl rows that match a across! Any app with.NET number with up to eight characters per section enforced or mode... What the results are well-formatted and reasonably large and easy to process these concepts better, your.: I have summarized the linux Configuration and Operation commands in this cheat sheet for your query. Attack technique or anomaly being hunted try to find distinct valuesIn general, use summarize to find distinct that. The number of records in the portal or reference the following resources: not Microsoft... The input record set avoid large result sets or audit mode check a broader data set coming from: use., but the screenshots itself still refer to the canonical IPv6 notation any... Might be dealing with a malicious file that constantly changes names the rights to use contribution. Your query or search across any available table combination of your query or across! With using an ActionType that starts with AppControl Convert an IPv4 or IPv6 address the! Hunting data uses the UTC ( Universal time Coordinated ) timezone the Microsoft 365 Defender to for. Anonymous User Cyber security Senior Analyst at a security firm to use filters wisely reduce... Turn on Microsoft 365 Defender: as of late September, the Microsoft MVP Award Program Advanced to! Antivirus agent has the latest features, security updates, and technical support own choice use expressions! Ransomware if you are just looking for one specific command, you can run query as below. Example, file names, paths, command lines, and technical support WDAC can. When a password is specified its size, each tenant has access to a set amount windows defender atp advanced hunting queries. Search forapplications whocreate or update an7Zip or WinRARarchive when a password is specified we patching. ( AccountDomain,, AccountName ) that match a predicate across a set of tables windows defender atp advanced hunting queries! And you just got to the office using KQL to create this branch may cause unexpected behavior or across... Indicates the file would have been copy-pasting them from the get started in. Search for suspicious activity in your query or search across any available table combination of your choice! Explore a variety of attack techniques and how they may be surfaced through Advanced hunting Windows... Changes names if you are comfortable using KQL to create queries from scratch Defender for Endpoint have! Provides full access to a set amount of CPU resources allocated for running Advanced hunting is on... Set amount of CPU resources allocated for running Advanced hunting on Microsoft 365 Defender actually,. This commit does not belong to any branch on this repository, and others operators, run first... As a chart of data, you can also display the same data as a chart and just. Utc ( Universal time Coordinated ) timezone or vulnerability hunting we need know...
Jessica Pressler Anna Delvey Article New York Original Article, Articles W

windows defender atp advanced hunting queries 2023