Advanced hunting updates: USB events, machine-level actions, and schema changes

Hello there, hunters! I’d like to share some of the work we’ve recently completed for advanced hunting on Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

We’ve added some exciting new events as well as new options for automated response actions based on your custom detections. We also have some changes to the schema—changes that will allow advanced hunting to scale and accommodate even more events and information types.
Keep on reading for the juicy details.

Find threat activity involving USB devices
We’ve added support for the following new action types in the MiscEvent table, so you can find events related to mounting and unmounting of USB drives as well as setting of drive letters:

• UsbDriveMount
• UsbDriveUnmount
• UsbDriveDriveLetterChanged

Checking USB drive events can help you locate attempts to introduce malware or steal sensitive information through removable drives. Each of these action types include relevant contextual information, such as:

• Drive letter
• Bus type
• Product name of the device
• Product revision
• Serial number
• Manufacturer
• Volume

Please keep in mind these events are available only for RS6 machines.

More automated responses to custom detections
Have you ever wanted to automatically isolate a machine or run an antivirus scan in response to a custom detection?

In addition to the current file-level actions, we just added support for a set of machine-level actions that can be taken automatically if a custom detection is triggered. You can now specify these actions when you create custom detection rules, or you can add them to your existing rules:

• Isolate machine (new)
• Collect investigation package (new)
• Run antivirus scan (new)
• Initiate investigation (new)
• Allow / Block items by adding them to the indicator list
• Quarantine file

Let’s try them out
Let’s use the new USB events to create a custom detection rule that also leverages the new set of machine-level response actions.

The goal of this custom detection is to identify potentially malicious attempts to copy Word and PowerPoint files to a newly attached USB storage device. Once this activity is found on any machine, that machine should be automatically isolated from the network to suppress future exfiltration activity.

Find possible exfiltration attempts via USB
The following query finds attempts to copy at least 10 distinct documents within 15 minutes to a newly attached USB storage device. The query finds USB drive mounting events and extracts the assigned drive letter for each drive. It then finds file creation events on each drive letter, which maps to a freshly mounted USB device.
Try running the query by pasting it into the advanced hunting query editor.

DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| project USBMountTime = Timestamp, DeviceId, AdditionalFields
| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter)
| join (
DeviceFileEvents
| where Timestamp > ago(1d)
| where ActionType == "FileCreated"
| where FileName endswith ".docx" or FileName endswith ".pptx"
| parse FolderPath with DriveLetter '\\' *
| extend DriveLetter = tostring(DriveLetter)
)
on DeviceId, DriveLetter
| where (Timestamp - USBMountTime) between (0min .. 15min)
| summarize DistinctFilesCopied = dcount(SHA1), Events=makeset(pack("AccountName", InitiatingProcessAccountName, "Timestamp", Timestamp, "ReportId", ReportId, "FileName", FileName, "AdditionalDriveProperties", AdditionalFields)) by DeviceId, bin(Timestamp, 15m)
| where DistinctFilesCopied > 10
| mv-expand Events
| extend Timestamp = todatetime(Events.Timestamp), FileName = Events.FileName, AccountName = Events.AccountName, ReportId = tolong(Events.ReportId), AdditionalDriveProperties = Events.AdditionalDriveProperties

Running the query on advanced hunting
 
Create a custom detection rule from the query
If you ran the query successfully, create a new detection rule. Remember to select Isolate machine from the list of machine actions. This option automatically prevents machines with alerts from connecting to the network.

Creating a custom detection rule with isolate machine as a response action

Schema naming changes and deprecated columns
In the following weeks, we plan to rename some tables and columns, allowing us to expand the naming convention and accommodate events from more sources. We are also deprecating a column that is rarely used and is not functioning optimally.
 
New “device” prefix in table names
We will broadly add a new prefix to the names of all tables that are populated using device-specific data. This will give way for other data sources.

While the old table names are in use, these new table names are already functional (i.e., both sets of names are currently supported). In the upcoming weeks, when we start using the new names in the schema reference and documentation, the old names will continue to function. We do advise updating queries as soon as possible.

New column names
We are also renaming the following columns to ensure that their names remain meaningful when they are used across more tables.

Deprecated column
The rarely used column IsWindowsInfoProtectionApplied in the FileCreationEvents table will no longer be supported starting September 1, 2019. Saved queries that reference this column will return an error, unless edited manually to remove the reference.
--------------
That is all for my update this time. As always, please share your thoughts with us in the comment section below or use the feedback smileys in Microsoft Defender Security Center.