Defender ATP: Custom Advanced Hunting

Overview

Hacker, Cyber Crime, Internet, Security, Cyber, Crime

This step-by-step walkthrough is an example of how to configure custom Advanced Hunting in Microsoft Defender ATP using 3 simple steps:

  1. Create a reusable query
  2. Create a custom detection rule
  3. Add a notification rule

1. Create a reusable query

  1. http://securitycenter.microsoft.com/
  2. Advanced hunting
  3. QueryNew
  4. Type the following query
DeviceProcessEvents
| where ProcessCommandLine  contains "notepad.exe"
  1. Run query
  2. Review the results to verify “notepad.exe” was found
  3. SaveSave asDetect_Notepad.exe

2. Create a custom detection rule

  1. Create detection rule
  2. Complete the Alert details form (example shown below)

A note about Frequency

4. Carefully review and select the desired device and/or file actions

5. Review the the Summary and click Save

3. Add a notification rule

  1. Settings
  2. Under General, select Alert notifications
  3. Add notification rule
  4. Complete the New notification rule form (example shown below)

5. Enter valid e-mail recipients and select Send test email

Sample Alert Email

Leave a Reply