Migrate advanced hunting queries from Microsoft Defender for Endpoint

Applies to:

• Microsoft 365 Defender

Move your advanced hunting workflows from Microsoft Defender for Endpoint to proactively hunt for threats using a broader set of data. In Microsoft 365 Defender, you get access to data from other Microsoft 365 security solutions, including:

• Microsoft Defender for Endpoint
• Microsoft Defender for Office 365
• Microsoft Defender for Cloud Apps
• Microsoft Defender for Identity

You can transition without affecting your existing Defender for Endpoint workflows. Saved queries remain intact, and custom detection rules continue to run and generate alerts. They will, however, be visible in Microsoft 365 Defender.

Schema tables in Microsoft 365 Defender only

The Microsoft 365 Defender advanced hunting schema provides additional tables containing data from various Microsoft 365 security solutions. The following tables are available only in Microsoft 365 Defender:

Map DeviceAlertEvents table

The AlertInfo and AlertEvidence tables replace the DeviceAlertEvents table in the Microsoft Defender for Endpoint schema. In addition to data about device alerts, these two tables include data about alerts for identities, apps, and emails.

Use the following table to check how DeviceAlertEvents columns map to columns in the AlertInfo and AlertEvidence tables.

Adjust existing Microsoft Defender for Endpoint queries

Microsoft Defender for Endpoint queries will work as-is unless they reference the DeviceAlertEvents table. To use these queries in Microsoft 365 Defender, apply these changes:

• Replace DeviceAlertEvents with AlertInfo.
• Join the AlertInfo and the AlertEvidence tables on AlertId to get equivalent data.

Original query

The following query uses DeviceAlertEvents in Microsoft Defender for Endpoint to get the alerts that involve powershell.exe:

DeviceAlertEvents
| where Timestamp > ago(7d) 
| where AttackTechniques has "PowerShell (T1086)" and FileName == "powershell.exe"

Modified query

The following query has been adjusted for use in Microsoft 365 Defender. Instead of checking the file name directly from DeviceAlertEvents, it joins AlertEvidence and checks for the file name in that table.

AlertInfo 
| where Timestamp > ago(7d) 
| where AttackTechniques has "PowerShell (T1086)" 
| join AlertEvidence on AlertId
| where FileName == "powershell.exe"

Migrate custom detection rules

When Microsoft Defender for Endpoint rules are edited on Microsoft 365 Defender, they continue to function as before if the resulting query looks at device tables only.

For example, alerts generated by custom detection rules that query only device tables will continue to be delivered to your SIEM and generate email notifications, depending on how you’ve configured these in Microsoft Defender for Endpoint. Any existing suppression rules in Defender for Endpoint will also continue to apply.

Once you edit a Defender for Endpoint rule so that it queries identity and email tables, which are only available in Microsoft 365 Defender, the rule is automatically moved to Microsoft 365 Defender.

Alerts generated by the migrated rule:

• Are no longer visible in the Defender for Endpoint portal (Microsoft Defender Security Center)
• Stop being delivered to your SIEM or generate email notifications. To work around this change, configure notifications through Microsoft 365 Defender to get the alerts. You can use the Microsoft 365 Defender API to receive notifications for customer detection alerts or related incidents.
• Won’t be suppressed by Microsoft Defender for Endpoint suppression rules. To prevent alerts from being generated for certain users, devices, or mailboxes, modify the corresponding queries to exclude those entities explicitly.

If you edit a rule this way, you will be prompted for confirmation before such changes are applied.

New alerts generated by custom detection rules in Microsoft 365 Defender are displayed in an alert page that provides the following information:

• Alert title and description
• Impacted assets
• Actions taken in response to the alert
• Query results that triggered the alert
• Information on the custom detection rule

Write queries without DeviceAlertEvents

In the Microsoft 365 Defender schema, the AlertInfo and AlertEvidence tables are provided to accommodate the diverse set of information that accompany alerts from various sources.

To get the same alert information that you used to get from the DeviceAlertEvents table in the Microsoft Defender for Endpoint schema, filter the AlertInfo table by ServiceSource and then join each unique ID with the AlertEvidence table, which provides detailed event and entity information.

See the sample query below:

AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Endpoint"
| join AlertEvidence on AlertId

This query yields many more columns than DeviceAlertEvents in the Microsoft Defender for Endpoint schema. To keep results manageable, use project to get only the columns you are interested in. The example below projects columns you might be interested in when the investigation detected PowerShell activity:

AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Endpoint"
    and AttackTechniques has "powershell"
| join AlertEvidence on AlertId
| project Timestamp, Title, AlertId, DeviceName, FileName, ProcessCommandLine 

If you’d like to filter for specific entities involved in the alerts, you can do so by specifying the entity type in EntityType and the value you would like to filter for. The following example looks for a specific IP address:

AlertInfo
| where Title == "Insert_your_alert_title"
| join AlertEvidence on AlertId 
| where EntityType == "Ip" and RemoteIP == "192.88.99.01" 

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team