Near Real Time Rules in Defender
If you want to find threats earlier it is now possible to use NRT rules in Defender.
Before this, we had the options to use 24h, 12h, 3h, and 1h as the schedule. This gives Defenders the possibility to detect and respond to threat much earlier.
Tables that support Continuous (NRT) frequency
- AlertEvidence
- DeviceEvents
- DeviceFileCertificateInfo
- DeviceFileEvents
- DeviceImageLoadEvents
- DeviceLogonEvents
- DeviceNetworkEvents
- DeviceNetworkInfo
- DeviceInfo
- DeviceProcessEvents
- DeviceRegistryEvents
- EmailAttachmentInfo
- EmailEvents
- EmailPostDeliveryEvents
- EmailUrlInfo
- UrlClickEvents
The NRT rules does not support externaldata operator and you can only query one table
Configuring NRT (Continuous) Rule
From the Advanced Hunting, develop your query and click and configure the Alert Details
It’s important to think about what the actions means and make sure your query will detect exactly what you want.
Be cautious with the Isolate device when querying Device tables. If you have an error in your detection you may isolate all machines by mistake
It’s now completed!
Don’t forget that you can use the hunting if you want to take response actions on multiple entities very quickly.
From the Result of your hunting query, select the rows where you want to take action and click Take Actions
This brings your the Actions pane and you can choose which actions you need.
Depending on your query (which tables and output) you get different options for your actions. ‘
Stay safe, and Happy Hunting!