Tag Archive: Custom Detection

Near Real Time Rules in Defender

If you want to find threats earlier it is now possible to use NRT rules in Defender.

Before this, we had the options to use 24h, 12h, 3h, and 1h as the schedule. This gives Defenders the possibility to detect and respond to threat much earlier.


Tables that support Continuous (NRT) frequency

  • AlertEvidence
  • DeviceEvents
  • DeviceFileCertificateInfo
  • DeviceFileEvents
  • DeviceImageLoadEvents
  • DeviceLogonEvents
  • DeviceNetworkEvents
  • DeviceNetworkInfo
  • DeviceInfo
  • DeviceProcessEvents
  • DeviceRegistryEvents
  • EmailAttachmentInfo
  • EmailEvents
  • EmailPostDeliveryEvents
  • EmailUrlInfo
  • UrlClickEvents

The NRT rules does not support externaldata operator and you can only query one table

Configuring NRT (Continuous) Rule

From the Advanced Hunting, develop your query and click and configure the Alert Details

Click Next and select impacted entities (in this case we are using an email table and therefore the impacted entities will be mailbox)
Click Next and configure the actions.
It’s important to think about what the actions means and make sure your query will detect exactly what you want.

Be cautious with the Isolate device when querying Device tables. If you have an error in your detection you may isolate all machines by mistake

It’s now completed!

Don’t forget that you can use the hunting if you want to take response actions on multiple entities very quickly.

From the Result of your hunting query, select the rows where you want to take action and click Take Actions

This brings your the Actions pane and you can choose which actions you need.

Depending on your query (which tables and output) you get different options for your actions. ‘

Stay safe, and Happy Hunting!