Defender ATP: Custom Advanced Hunting

Overview

Hacker, Cyber Crime, Internet, Security, Cyber, Crime

This step-by-step walkthrough is an example of how to configure custom Advanced Hunting in Microsoft Defender ATP using 3 simple steps:

  1. Create a reusable query
  2. Create a custom detection rule
  3. Add a notification rule

1. Create a reusable query

  1. http://securitycenter.microsoft.com/
  2. Advanced hunting
  3. QueryNew
  4. Type the following query
DeviceProcessEvents
| where ProcessCommandLine  contains "notepad.exe"
  1. Run query
  2. Review the results to verify “notepad.exe” was found
  3. SaveSave asDetect_Notepad.exe

2. Create a custom detection rule

  1. Create detection rule
  2. Complete the Alert details form (example shown below)

A note about Frequency

4. Carefully review and select the desired device and/or file actions

5. Review the the Summary and click Save

3. Add a notification rule

  1. Settings
  2. Under General, select Alert notifications
  3. Add notification rule
  4. Complete the New notification rule form (example shown below)

5. Enter valid e-mail recipients and select Send test email

Sample Alert Email

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Defender ATP: Custom Advanced Hunting

Overview

Hacker, Cyber Crime, Internet, Security, Cyber, Crime

This step-by-step walkthrough is an example of how to configure custom Advanced Hunting in Microsoft Defender ATP using 3 simple steps:

  1. Create a reusable query
  2. Create a custom detection rule
  3. Add a notification rule

1. Create a reusable query

  1. http://securitycenter.microsoft.com/
  2. Advanced hunting
  3. QueryNew
  4. Type the following query
DeviceProcessEvents
| where ProcessCommandLine  contains "notepad.exe"
  1. Run query
  2. Review the results to verify “notepad.exe” was found
  3. SaveSave asDetect_Notepad.exe

2. Create a custom detection rule

  1. Create detection rule
  2. Complete the Alert details form (example shown below)

A note about Frequency

4. Carefully review and select the desired device and/or file actions

5. Review the the Summary and click Save

3. Add a notification rule

  1. Settings
  2. Under General, select Alert notifications
  3. Add notification rule
  4. Complete the New notification rule form (example shown below)

5. Enter valid e-mail recipients and select Send test email

Sample Alert Email

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s