Hi guys , 

I am trying to achieve below goal 

We want to detect if CIRT tools l ( like universal forwarder for splunk , Nessus , umbrella roaming client etc ) is installed on win 10 machine or not and based on that device should be marked as compliant if installed and non compliant if not and further based on compliance status we can control access to company resources via conditional access OR put machine in isolation if any of the CIRT tool mentioned above is not installed to client machine.

After going through ATP documentation , i came to know we can also create custom detection rule based on KQL and then specify action based on result . Result would be like device Isolation from the network which exactly meet our requirement .

Now , i am not sure if my requirement can be met by creating a custom detection rule or not .

If yes , then what's the way ( resources , guides ) to create custom rule

If not , then is there any other solution from microsoft which we can meet our requirement ?

Note: we do have ATP and AAD premium p2 license and very adaptive to use any of the Microsoft technology . Please help