Forum Discussion
Advanced Hunting along with a Custom Detection Rule
Hi stade1655!
Good morning on this side 😄!
To create a KQL query for Advanced Hunting, you can start by using the "DeviceEvents" table to look for suspicious activity related to viruses or ransomware. Once you've crafted your query to detect the event or signature, you can set up a Custom Detection Rule in Microsoft Defender for Business. The rule can be configured to trigger at a Near Real-Time frequency and isolate the affected device automatically when a match is found. You'll need to use the "Create a custom detection rule" feature in the Microsoft 365 Defender portal to link the KQL query to the automation action for device isolation.
Let me know if you need more details on how to achieve it.
Regards
Hi luchete
I'm trying to determine exactly which Advanced Hunting tables are available in Microsoft 365 Business Premium, which includes Defender for Business.
I understand that Defender for Business includes a mix of Defender for Endpoint Plan 1 and some features from Plan 2, but I can't find a clear list of which tables are accessible in Advanced Hunting under this specific licensing model.
Some sources suggest that tables like DeviceEvents and DeviceInfo might be restricted to Defender for Endpoint Plan 2, but I would appreciate an official or community-confirmed list of available tables under Defender for Business.
Additionally, is it possible to achieve automatic isolation using another table in Advanced Hunting? If some tables are restricted, is there an alternative approach to trigger device isolation based on hunting queries?
Would really appreciate any insights or official references!
Thanks in advance!