Forum Discussion
Custom critical filter for EDR/XDR
Hello everyone,
i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible?
We have many high alerts and we are trying to figure one to have prio list with important notifications.
Have you any ideas?
Thank you.
4 Replies
Thank you for answers. Its not for vulnerabilities so i think CVE wouldnt help us me with that.
Its for malware, ransomware etc., because the highest category for alert what MS Defender use is High, and that is the reason why im trying to make custom alert, aiming to be like "Critical".
Im trying using keywords for ransomware, which i deal like critical, but dont know if somebody find out somethink better that could fit me well.If you're looking for a specific CVE, you could try this:
let CVE_Details =
DeviceTvmSoftwareVulnerabilities
| join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId // Merges the two tables where there is a match on CveId
| where CveId == "CVE-2024-21338" // Enter relevant CVE number here
| sort by DeviceName asc
| project CveId, Exploitable=IsExploitAvailable, Severity=VulnerabilitySeverityLevel, DeviceName, OSVersion, SoftwareName, SoftwareVersion, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, CVE_Description=VulnerabilityDescription, DeviceId ;
CVE_Details
| join kind=inner DeviceInfo on DeviceName
| distinct DeviceName, CveId, Exploitable, Severity, LoggedOnUsers, OSVersion, SoftwareName, SoftwareVersion, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, CVE_Description
| where LoggedOnUsers contains "UserName"
| sort by DeviceName asc
It depends on what you consider to be 'critical'. If it's for a vulnerability with an exploit available, you could use KQL to detect these and a custom detection rule to generate an alert:
DeviceTvmSoftwareVulnerabilities
| join kind=inner DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where IsExploitAvailable == (1) // 1 is Yes, 0 is N0
//| where OSPlatform contains "server" // Filters for CVEs impacting servers
//| where OSPlatform == "Windows10" or OSPlatform == "Windows11" // Filters for CVEs impacting workstations
| project DeviceName, OSPlatform, OSVersion, SoftwareName, SoftwareVendor, SoftwareVersion, CVE=CveId, CvssScore, Severity=VulnerabilitySeverityLevel, MissingKB=RecommendedSecurityUpdateId, UpdateName=RecommendedSecurityUpdate, Description=VulnerabilityDescription
| sort by DeviceName asc, CvssScore desc
You could also amend this to search for severity = critical, or above a certain CVSS score too.
You could do this in your ITSM tool if you have one and you pass your Alerts to that tool? Or you can create a custom alert that looks at the alerts to give you a filtered list. Or just run some KQL in Advanced Hunting to find the titles or keywords you are especially interested in, maybe something based on:
let keyWords = datatable (word:string) [ 'risk', 'suspicious' ]; AlertInfo | where Severity =="High" | where Title has_any (keyWords)
