Forum Discussion
Advanced Hunting along with a Custom Detection Rule
Good afternoon,
I need some help setting up a KQL query in Advanced Hunting along with a Custom Detection Rule to automatically isolate devices where a virus or ransomware is detected. The rule must run at NRT (Near Real-Time) frequency.
We are using Microsoft Defender for Business, which is included in the Microsoft 365 Business Premium license.
Would any kind community member be able to provide me with a starting point for this?
Thank you in advance!
Hi stade1655!
Good morning on this side 😄!
To create a KQL query for Advanced Hunting, you can start by using the "DeviceEvents" table to look for suspicious activity related to viruses or ransomware. Once you've crafted your query to detect the event or signature, you can set up a Custom Detection Rule in Microsoft Defender for Business. The rule can be configured to trigger at a Near Real-Time frequency and isolate the affected device automatically when a match is found. You'll need to use the "Create a custom detection rule" feature in the Microsoft 365 Defender portal to link the KQL query to the automation action for device isolation.
Let me know if you need more details on how to achieve it.
Regards
Hi stade1655!
Good morning on this side 😄!
To create a KQL query for Advanced Hunting, you can start by using the "DeviceEvents" table to look for suspicious activity related to viruses or ransomware. Once you've crafted your query to detect the event or signature, you can set up a Custom Detection Rule in Microsoft Defender for Business. The rule can be configured to trigger at a Near Real-Time frequency and isolate the affected device automatically when a match is found. You'll need to use the "Create a custom detection rule" feature in the Microsoft 365 Defender portal to link the KQL query to the automation action for device isolation.
Let me know if you need more details on how to achieve it.
Regards
Thank you for the detailed explanation! This is exactly the guidance I needed to get started with creating a KQL query and setting up a Custom Detection Rule in Microsoft Defender for Business. I’ll try this out and reach out if I need further assistance. Appreciate your support!
