Forum Discussion
Advanced Hunting along with a Custom Detection Rule
Good afternoon,
I need some help setting up a KQL query in Advanced Hunting along with a Custom Detection Rule to automatically isolate devices where a virus or ransomware is detected. The rule must run at NRT (Near Real-Time) frequency.
We are using Microsoft Defender for Business, which is included in the Microsoft 365 Business Premium license.
Would any kind community member be able to provide me with a starting point for this?
Thank you in advance!
Hi stade1655!
Good morning on this side 😄!
To create a KQL query for Advanced Hunting, you can start by using the "DeviceEvents" table to look for suspicious activity related to viruses or ransomware. Once you've crafted your query to detect the event or signature, you can set up a Custom Detection Rule in Microsoft Defender for Business. The rule can be configured to trigger at a Near Real-Time frequency and isolate the affected device automatically when a match is found. You'll need to use the "Create a custom detection rule" feature in the Microsoft 365 Defender portal to link the KQL query to the automation action for device isolation.
Let me know if you need more details on how to achieve it.
Regards
3 Replies
Hi luchete
I'm trying to determine exactly which Advanced Hunting tables are available in Microsoft 365 Business Premium, which includes Defender for Business.
I understand that Defender for Business includes a mix of Defender for Endpoint Plan 1 and some features from Plan 2, but I can't find a clear list of which tables are accessible in Advanced Hunting under this specific licensing model.
Some sources suggest that tables like DeviceEvents and DeviceInfo might be restricted to Defender for Endpoint Plan 2, but I would appreciate an official or community-confirmed list of available tables under Defender for Business.
Additionally, is it possible to achieve automatic isolation using another table in Advanced Hunting? If some tables are restricted, is there an alternative approach to trigger device isolation based on hunting queries?
Would really appreciate any insights or official references!
Thanks in advance!
Hi stade1655!
Good morning on this side 😄!
To create a KQL query for Advanced Hunting, you can start by using the "DeviceEvents" table to look for suspicious activity related to viruses or ransomware. Once you've crafted your query to detect the event or signature, you can set up a Custom Detection Rule in Microsoft Defender for Business. The rule can be configured to trigger at a Near Real-Time frequency and isolate the affected device automatically when a match is found. You'll need to use the "Create a custom detection rule" feature in the Microsoft 365 Defender portal to link the KQL query to the automation action for device isolation.
Let me know if you need more details on how to achieve it.
Regards
Thank you for the detailed explanation! This is exactly the guidance I needed to get started with creating a KQL query and setting up a Custom Detection Rule in Microsoft Defender for Business. I’ll try this out and reach out if I need further assistance. Appreciate your support!
