Custom rule detection in Advance hunting ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-1552692%22%20slang%3D%22en-US%22%3ECustom%20rule%20detection%20in%20Advance%20hunting%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1552692%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%20%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20achieve%20below%20goal%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20detect%20if%20CIRT%20tools%20l%20(%20like%20universal%20forwarder%20for%20splunk%20%2C%20Nessus%20%2C%20umbrella%20roaming%20client%20etc%20)%20is%20installed%20on%20win%2010%20machine%20or%20not%20and%20based%20on%20that%20device%20should%20be%20marked%20as%20compliant%20if%20installed%20and%20non%20compliant%20if%20not%20and%20further%20based%20on%20compliance%20status%20we%20can%20control%20access%20to%20company%20resources%20via%20conditional%20access%20OR%20put%20machine%20in%20isolation%20if%20any%20of%20the%20CIRT%20tool%20mentioned%20above%20is%20not%20installed%20to%20client%20machine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20going%20through%20ATP%20documentation%20%2C%20i%20came%20to%20know%20we%20can%20also%20create%20custom%20detection%20rule%20based%20on%20KQL%20and%20then%20specify%20action%20based%20on%20result%20.%20Result%20would%20be%20like%20device%20Isolation%20from%20the%20network%20which%20exactly%20meet%20our%20requirement%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20%2C%20i%20am%20not%20sure%20if%20my%20requirement%20can%20be%20met%20by%20creating%20a%20custom%20detection%20rule%20or%20not%20.%3C%2FP%3E%3CP%3EIf%20yes%20%2C%20then%20what's%20the%20way%20(%20resources%20%2C%20guides%20)%20to%20create%20custom%20rule%3C%2FP%3E%3CP%3EIf%20not%20%2C%20then%20is%20there%20any%20other%20solution%20from%20microsoft%20which%20we%20can%20meet%20our%20requirement%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20we%20do%20have%20ATP%20and%20AAD%20premium%20p2%20license%20and%20very%20adaptive%20to%20use%20any%20of%20the%20Microsoft%20technology%20.%20Please%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1554101%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20rule%20detection%20in%20Advance%20hunting%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1554101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573952%22%20target%3D%22_blank%22%3E%40moderndesktop%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20do%20something%20similar%20to%20what%20was%20done%20here%3A%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fautomated-machine-tagging-in-just-a-few-simple-steps%2Fba-p%2F309377%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fautomated-machine-tagging-in-just-a-few-simple-steps%2Fba-p%2F309377%3C%2FA%3E.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EYou%20can%20simply%20run%20a%20scheduled%20query%20to%20produce%20a%20list%20of%20systems%20which%20are%20missing%20the%20tool%20and%20run%20an%20isolation%20action%20through%20Microsoft%20flow%20or%20Logic%20apps.%20Isolating%20a%20system%20might%20be%20a%20nuclear%20option%20since%20you%20won't%20be%20able%20to%20reach%20it%20and%20deploy%20the%20app%20to%20make%20it%20compliant.%20From%20what%20I%20know%2C%20only%20Defender%20ATP%20can%20reach%20out%20to%20the%20system%20after%20isolation%20so%20you%20can%20look%20at%20installing%20the%20application%20through%20ATP%20Live%20response%20or%20creating%20something%20like%20a%20service%20now%20ticket%20through%20Logic%20apps%20to%20get%20someone%20to%20deploy%20the%20software.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1564445%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20rule%20detection%20in%20Advance%20hunting%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1564445%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F744022%22%20target%3D%22_blank%22%3E%40blankachu%3C%2FA%3E%26nbsp%3B%20Thanks%20buddy%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi guys , 

 

I am trying to achieve below goal 

 

We want to detect if CIRT tools l ( like universal forwarder for splunk , Nessus , umbrella roaming client etc ) is installed on win 10 machine or not and based on that device should be marked as compliant if installed and non compliant if not and further based on compliance status we can control access to company resources via conditional access OR put machine in isolation if any of the CIRT tool mentioned above is not installed to client machine.

 

After going through ATP documentation , i came to know we can also create custom detection rule based on KQL and then specify action based on result . Result would be like device Isolation from the network which exactly meet our requirement .

 

Now , i am not sure if my requirement can be met by creating a custom detection rule or not .

If yes , then what's the way ( resources , guides ) to create custom rule

If not , then is there any other solution from microsoft which we can meet our requirement ?

 

Note: we do have ATP and AAD premium p2 license and very adaptive to use any of the Microsoft technology . Please help

2 Replies
Highlighted

@moderndesktop 

You can do something similar to what was done here: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/automated-machine-tagging-in-just-a-fe....

You can simply run a scheduled query to produce a list of systems which are missing the tool and run an isolation action through Microsoft flow or Logic apps. Isolating a system might be a nuclear option since you won't be able to reach it and deploy the app to make it compliant. From what I know, only Defender ATP can reach out to the system after isolation so you can look at installing the application through ATP Live response or creating something like a service now ticket through Logic apps to get someone to deploy the software.

Highlighted

@blankachu  Thanks buddy