Microsoft 365 Defender simplifies and expands Microsoft security capabilities by consolidating data and functionality into unified experiences highlighted by incident, automated investigation and response, and advanced hunting experiences that you can access in Microsoft 365 security center.
With advanced hunting, customers can continue using the powerful Kusto-based query interface to hunt across a device-optimized schema for Microsoft Defender for Endpoint. They can also switch to the Microsoft 365 security center, where we’ve surfaced additional email, identity, and app data consolidated under Microsoft 365 Defender.
Customers who actively use advanced hunting in Microsoft Defender for Endpoint are advised to note the following details to ensure a smooth transition to advanced hunting in Microsoft 365 Defender:
- You can edit your Microsoft Defender for Endpoint custom detection rules in Microsoft 365 Defender. At the same time, alerts generated by custom detection rules in Microsoft 365 Defender will now be displayed in a newly built alert page that provides the following information:
- Alert title and description
- Impacted assets
- Actions taken in response to the alert
- Query results that triggered the alert (timeline and table views)
- Information on the custom detection rule
- With alert data consolidated from various sources in Microsoft 365 Defender, the contents of the DeviceAlertEvents table are surfaced using the AlertInfo and AlertEvidence tables. These replacement tables are not constrained to alerts on devices. Instead, they also cover alerts from Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App Security, providing visibility over threat activity impacting emails, apps, and identities. See our documentation: Migrate advanced hunting queries from Microsoft Defender for Endpoint
Read through the following sections for tips on how you can transition your Microsoft Defender for Endpoint rules smoothly to Microsoft 365 Defender.
Migrate custom detection rules
When Microsoft Defender for Endpoint rules are edited on Microsoft 365 Defender, they can continue to function as before if the resulting query looks at device tables only. For example, alerts generated by custom detection rules that query only device tables will continue to be delivered to your SIEM and generate email notifications, depending on how you’ve configured these in Defender for Endpoint. Any existing suppression rules in Defender for Endpoint will also continue to apply.
Once you edit a Defender for Endpoint rule so that it queries identity and email tables, which are only available in Microsoft 365 Defender, the rule is automatically moved to Microsoft 365 Defender. Alerts generated by the migrated rule:
- Are no longer visible in the Microsoft Defender Security Center (Microsoft Defender for Endpoint portal).
- Stop being delivered to your SIEM or generate email notifications. To work around these changes, configure notifications through Microsoft 365 Defender to get the alerts. You can use the Microsoft 365 Defender API to receive notifications for custom detection alerts or related incidents.
- Won't be suppressed by Microsoft Defender for Endpoint suppression rules. To prevent alerts from being generated for certain users, devices, or mailboxes, modify the corresponding queries to exclude those entities explicitly.
If you do edit a rule this way, you will be prompted for confirmation before such changes are applied.
Write queries without DeviceAlertEvents
In Microsoft 365 Defender, the AlertInfo and AlertEvidence tables are provided to accommodate the diverse set of information that accompany alerts from various sources. Once you transition to Advanced hunting in Microsoft 365 Defender, you’ll need to make adjustments so your queries get the same alert information that you used to get from the DeviceAlertEvents table in the Microsoft Defender for Endpoint schema.
In general, you can get all the device-specific Microsoft Defender for Endpoint alert info by filtering the AlertInfo table by ServiceSource and then joining each unique ID with the AlertEvidence table, which provides detailed event and entity information. See the sample query below:
AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Endpoint"
| join AlertEvidence on AlertId
This query will yield many more columns than simply taking records from DeviceAlertEvents. To keep results manageable, use project to get only the columns you are interested in. The example below projects columns you might be interested in when investigation detected PowerShell activity:
AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Endpoint"
and AttackTechniques has "powershell"
| join AlertEvidence on AlertId
| project Timestamp, Title, AlertId, DeviceName, FileName, ProcessCommandLine
Let us know how we can help
While the move to Microsoft 365 Defender offers limitless benefits especially to customers who have deployed multiple Microsoft 365 security solutions, we understand how change can present challenge. We’d like to encourage all customers to send us feedback about their experiences managing this change and suggestions on how we can help further. Contact us at ahfeedback@microsoft.com or send us feedback through the portals.