Build Custom Detection Rules with Auto-Response

📋 Overview

About This Lab

In this hands-on lab you will author production-grade custom detection rules in Microsoft Defender XDR using Kusto Query Language (KQL). You will go beyond the built-in detection catalog by writing tailored queries that target suspicious PowerShell activity and lateral movement techniques. Once the queries are validated, you will promote them to scheduled custom detection rules, wire them into Automated Investigation and Response (AIR), define auto-response actions, configure suppression rules to tame false positives, and perform end-to-end validation to confirm that alerts fire and automated remediation triggers correctly.

🏢 Enterprise Use Case

Contoso Ltd, a financial services organization with 5,000 endpoints, has observed a sharp increase in commodity malware that leverages encoded PowerShell commands and RMM tools for initial access, followed by lateral movement via PsExec and WMI. The SOC team needs custom detections that fire within minutes: not hours: and trigger automated containment to limit blast radius during off-hours when analyst coverage drops to a single L1 analyst. By the end of this lab you will have built exactly that pipeline: detection → alert → automated response → suppression of known-good patterns.

🎯 What You Will Learn

Navigate and query the Advanced Hunting schema across DeviceEvents, DeviceProcessEvents, and DeviceNetworkEvents tables
Write precise KQL detections for suspicious PowerShell execution patterns (encoded commands, download cradles, obfuscated scripts)
Write KQL detections for lateral movement techniques (PsExec, WMI remote execution, SMB-based abuse)
Promote a KQL query to a custom detection rule with proper scheduling, entity mapping, and alert enrichment
Configure Automated Investigation and Response (AIR) automation levels and device groups
Define auto-response actions including device isolation, file quarantine, URL blocking, and investigation package collection
Create alert suppression rules scoped by indicator, entity, and time to reduce false positives
Validate the full detection-response pipeline with simulated test events

🔑 Why This Matters

Built-in detections cover a vast threat landscape, but every organization has unique processes, tools, and baseline behaviors that commodity detections cannot account for. Custom detection rules let you close visibility gaps that attackers actively exploit. When paired with automated response, these rules transform your security posture from reactive: waiting for an analyst to triage: to proactive, containing threats in seconds. Suppression rules ensure that automation does not overwhelm your SOC with false positives, keeping signal-to-noise ratios manageable. Mastering this workflow is essential for any security team operating at enterprise scale.

⚙️ Prerequisites

Required Licenses

Microsoft 365 E5 or Microsoft Defender for Endpoint Plan 2
Microsoft Defender XDR (unified portal access)
Microsoft 365 E5 Security add-on (if not E5 full)

Required Roles

Security Administrator or Security Operator in Microsoft Entra ID
Manage security settings permission in Defender XDR (for custom detection rule creation)
Active remediation actions permission (for configuring automated response)
Manage alert suppression permission (for creating suppression rules)

Tools & Environment

A modern browser (Edge, Chrome) with access to security.microsoft.com
At least one Windows device onboarded to Microsoft Defender for Endpoint with active sensor data
PowerShell 5.1+ on a test endpoint for generating simulated events
(Optional) Atomic Red Team for structured attack simulation

⚠️ Important: Only simulate attacks on endpoints you own and that are designated for testing. Running attack-simulation tools on production endpoints without prior authorization violates most security policies and may trigger SOC response procedures.

Step 1 · Understand the Advanced Hunting Schema

Before writing detection rules you need a solid understanding of the data available to you. Microsoft Defender XDR exposes dozens of tables through Advanced Hunting. For endpoint-focused custom detections the three most important tables are DeviceProcessEvents, DeviceEvents, and DeviceNetworkEvents. Each table captures different telemetry and together they provide a full picture of what happened on a device.

Navigate to Advanced Hunting

Open the Microsoft Defender portal at security.microsoft.com
In the left navigation expand Hunting → click Advanced hunting
On the Schema tab, expand the DeviceProcessEvents node to review available columns
Note key columns: Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
Expand DeviceEvents and note the ActionType column: this table captures a wide variety of sensor events
Expand DeviceNetworkEvents and note RemoteUrl, RemoteIP, RemotePort

Run a Baseline Query: DeviceProcessEvents

Start by exploring recent process creation events to familiarize yourself with the data shape:

// BASELINE: Explore recent process creation events on your endpoints
// Purpose: Familiarize yourself with the DeviceProcessEvents table structure
//   before writing detections. This is the most important table for detecting
//   malicious execution on endpoints.
// Key columns:
//   DeviceName              – endpoint hostname
//   FileName                – the process that was launched (e.g., powershell.exe)
//   ProcessCommandLine      – full command line including arguments (key for detection)
//   InitiatingProcessFileName – WHAT launched the process (parent process)
//   AccountName             – the user account that ran the process
// The relationship between InitiatingProcessFileName and FileName reveals
// the process chain (e.g., outlook.exe → powershell.exe = macro attack)
DeviceProcessEvents
| where Timestamp > ago(1h)
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, AccountName
| take 50

Run a Baseline Query: DeviceEvents

Examine the most common ActionType values to understand what the sensor reports:

// BASELINE: Top ActionTypes reported by the MDE sensor in last 24h
// Purpose: Understand what types of events the DeviceEvents table captures.
//   DeviceEvents is a catch-all table for sensor events that don’t fit into
//   the specialized tables (ProcessEvents, FileEvents, etc.).
// Common ActionTypes you’ll see:
//   AntivirusDetection          – AV engine found a threat
//   ExploitGuardNetworkProtect  – network protection blocked a connection
//   CreateRemoteThreadApiCall   – process injection (T1055)
//   PowerShellCommand           – PowerShell script block logging events
//   UsbDriveMounted             – removable media connected
// Output: Count column shows how frequently each type fires.
//   Use this to understand your environment’s noise baseline.
DeviceEvents
| where Timestamp > ago(24h)
| summarize Count = count() by ActionType
| sort by Count desc
| take 20

Run a Baseline Query: DeviceNetworkEvents

Get a quick overview of outbound network connections and the processes initiating them:

// BASELINE: Which processes are making the most outbound connections?
// Purpose: Understand network behavior on your endpoints. The
//   DeviceNetworkEvents table captures all TCP/UDP connections.
// Filters:
//   ActionType == "ConnectionSuccess" – only successful connections
//     (filters out blocked/failed attempts which are higher volume)
// Output: InitiatingProcessFileName – the process that opened the connection
//   High ConnectionCount from unexpected processes (e.g., notepad.exe,
//   rundll32.exe opening network connections) is suspicious.
// Normal: browsers, outlook.exe, teams.exe will have high counts.
// Suspicious: cmd.exe, powershell.exe, certutil.exe with network activity.
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount = count() by InitiatingProcessFileName
| sort by ConnectionCount desc
| take 15

💡 Pro Tip: Use the getschema operator (e.g., DeviceProcessEvents | getschema) to list every column with its data type. This is invaluable when building queries programmatically or when you can't remember the exact column name.

Step 2 · Write KQL Detection for Suspicious PowerShell

PowerShell is the most abused living-off-the-land binary (LOLBin) in enterprise environments. Attackers routinely use encoded commands (-EncodedCommand), download cradles (IEX(New-Object Net.WebClient)), and obfuscation techniques (string concatenation, backtick insertion) to evade static analysis. In this step you will write detection queries that catch these patterns.

Detection 2a: Encoded PowerShell Commands

This query identifies PowerShell processes launched with base64-encoded commands, a hallmark of malware stagers and C2 frameworks:

// DETECTION 2a: Encoded PowerShell Commands
// MITRE ATT&CK: T1059.001 (Command and Scripting Interpreter: PowerShell)
// Why: Base64-encoded commands hide malicious payloads from static analysis.
//   Legitimate automation rarely uses -EncodedCommand; attackers almost always do.
//
// Detection flags:
//   -EncodedCommand / -enc / -ec / -e  – PowerShell’s built-in Base64 decode flag
//   FromBase64String – .NET method used in script to decode payloads inline
//
// Exclusions: svc_sccm and svc_intune are examples of known service accounts
//   that legitimately run encoded commands. Replace with YOUR environment’s
//   service account names.
//
// Key output columns:
//   InitiatingProcessFileName – what launched PowerShell tells you the attack vector:
//     cmd.exe = manual execution; wmiprvse.exe = WMI remote exec;
//     outlook.exe/winword.exe = macro-based attack
//   ReportId – unique event ID required for custom detection rule entity mapping
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "-EncodedCommand",
    "-enc ",
    "-ec ",
    "-e ",
    "FromBase64String"
  )
// Exclude known legitimate automation accounts
| where AccountName !in~ ("svc_sccm", "svc_intune")
| project Timestamp, DeviceName, AccountName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, ReportId
| sort by Timestamp desc

Detection 2b: PowerShell Download Cradles

Download cradles fetch and immediately execute remote payloads. The following query catches the most common variants:

// DETECTION 2b: PowerShell Download Cradles
// MITRE ATT&CK: T1059.001 (PowerShell) + T1105 (Ingress Tool Transfer)
// Why: Download cradles fetch a remote script and execute it immediately
//   in memory, leaving minimal disk artifacts. This is the #1 technique
//   for malware stagers and C2 framework initial access.
//
// Two-stage filter:
//   1. First has_any: checks for download methods
//      Net.WebClient/DownloadString/DownloadFile = .NET web download
//      Invoke-WebRequest/iwr/wget/curl = PowerShell cmdlet aliases
//      Start-BitsTransfer = Windows BITS service download
//      Invoke-RestMethod/irm = REST API download
//   2. Second has_any: checks for immediate execution
//      IEX/Invoke-Expression/iex( = execute downloaded content in memory
//      | iex = pipeline execution (download | invoke pattern)
//
// The combination of download + execute is what makes this dangerous.
//   Download alone might be legitimate; execute alone might be legitimate;
//   both together in PowerShell is almost always malicious.
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "Net.WebClient",
    "DownloadString",
    "DownloadFile",
    "Invoke-WebRequest",
    "iwr ",
    "wget ",
    "curl ",
    "Start-BitsTransfer",
    "Invoke-RestMethod",
    "irm "
  )
| where ProcessCommandLine has_any (
    "IEX",
    "Invoke-Expression",
    "iex(",
    "| iex"
  )
| project Timestamp, DeviceName, AccountName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, ReportId

Detection 2c: Obfuscated PowerShell

Attackers insert backticks, carets, or excessive string concatenation to evade signature-based detections. This query uses a heuristic based on the ratio of special characters to command length:

// DETECTION 2c: Obfuscated PowerShell via Special Character Density
// MITRE ATT&CK: T1027 (Obfuscated Files or Information)
// Why: Attackers insert backticks (`), carets (^), and string concatenation (+)
//   to break apart known-bad keywords and evade signature-based detection.
//   Example: I`n`v`o`k`e`-`E`x`p`r`e`s`s`i`o`n evades matching "Invoke-Expression"
//
// Heuristic approach:
//   Instead of matching specific obfuscated patterns (infinite variations),
//   this query measures the RATIO of special characters to total command length.
//   Normal PowerShell commands have < 1% special characters.
//   Obfuscated commands typically have > 5% (the 0.05 threshold).
//
// CmdLen > 100 filter: Short commands don’t need obfuscation detection;
//   the threshold focuses on longer payloads where obfuscation is meaningful.
//
// Output: SpecialTotal shows how many obfuscation characters were found.
//   Values > 20 with CmdLen > 200 are very likely malicious obfuscation.
//   False positives: Some legitimate scripts use backticks for line continuation.
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| extend CmdLen = strlen(ProcessCommandLine)
| extend TickCount = countof(ProcessCommandLine, "`")
| extend CaretCount = countof(ProcessCommandLine, "^")
| extend PlusCount = countof(ProcessCommandLine, "+")
| extend SpecialTotal = TickCount + CaretCount + PlusCount
| where CmdLen > 100
    and (SpecialTotal * 1.0 / CmdLen) > 0.05
| project Timestamp, DeviceName, AccountName,
          ProcessCommandLine, CmdLen, SpecialTotal,
          InitiatingProcessFileName, ReportId

Validate Your Queries

Paste each query into Advanced Hunting and click Run query
Review the results: check for false positives from legitimate automation tools (SCCM, Intune, etc.)
Adjust the where exclusions to suppress known-good activity in your environment
Test the query over 7 days (ago(7d)) to verify result volume is manageable

💡 Pro Tip: Always check the InitiatingProcessFileName column. If PowerShell is launched by cmd.exe or explorer.exe, it is likely user-initiated. If launched by wmiprvse.exe or svchost.exe, it may indicate an automated or remote execution: exactly what you want to detect.

Step 3 · Write KQL Detection for Lateral Movement

Lateral movement is a critical stage in the attack kill chain. Adversaries use legitimate administrative tools: PsExec, WMI, and SMB: to spread across the network. Writing detections for these techniques requires distinguishing between legitimate admin activity and attacker behavior, typically by examining the parent process, timing, and target scope.

Detection 3a: PsExec Execution

PsExec creates a service on the remote machine. Detect both the original SysInternals binary and renamed copies:

// DETECTION 3a: PsExec Execution (original or renamed)
// MITRE ATT&CK: T1569.002 (System Services: Service Execution)
//               T1021.002 (Remote Services: SMB/Windows Admin Shares)
// Why: PsExec is the classic admin tool for remote command execution.
//   Attackers use it for lateral movement by creating a temporary service
//   on the target machine. They often rename psexec.exe to evade filename-based
//   detections, so this query also checks the original file metadata.
//
// Detection logic:
//   1. Direct name match: psexec.exe or psexec64.exe
//   2. Service name match: "psexesvc" in command line (the service PsExec creates)
//   3. Renamed copy detection: FileName is different but
//      ProcessVersionInfoOriginalFileName still shows "psexec.exe"
//      (file metadata is harder to forge than renaming the file)
//
// Output: Check AccountName – is this an expected admin? Check
//   InitiatingProcessFileName – was PsExec launched from cmd.exe (manual)
//   or from another process (automated attack chain)?
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName =~ "psexec.exe"
    or FileName =~ "psexec64.exe"
    or ProcessCommandLine has "psexesvc"
    or (
        // Detect renamed PsExec by original file name metadata
        FileName != "psexec.exe"
        and ProcessVersionInfoOriginalFileName =~ "psexec.exe"
    )
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine, ReportId
| sort by Timestamp desc

Detection 3b: WMI Remote Process Creation

WMI remote process creation uses wmic.exe or the WMI provider (wmiprvse.exe) to spawn processes on remote machines:

// DETECTION 3b: WMI Remote Process Creation
// MITRE ATT&CK: T1047 (Windows Management Instrumentation)
// Why: WMI is a built-in Windows framework for remote administration.
//   Attackers abuse it for fileless lateral movement because:
//   - It’s signed by Microsoft and present on every Windows machine
//   - It doesn’t require additional tools (no PsExec needed)
//   - Processes spawned by wmiprvse.exe can evade parent-process-based rules
//
// Two detection patterns:
//   1. WMIC with /node: targeting a remote host + process call create
//      = explicit remote process creation via the WMIC command-line tool
//   2. Processes spawned by wmiprvse.exe (the WMI provider service)
//      = if WMI spawns PowerShell, cmd, mshta, etc., it’s likely remote execution
//      because normal users don’t interact with WMI directly for these tools
//
// False positives: SCCM, Intune, monitoring agents use WMI heavily.
//   Filter by AccountName to exclude known management service accounts.
DeviceProcessEvents
| where Timestamp > ago(1h)
| where (
    // WMIC with /node targeting a remote host
    FileName =~ "wmic.exe"
    and ProcessCommandLine has "/node:"
    and ProcessCommandLine has "process"
    and ProcessCommandLine has "call"
    and ProcessCommandLine has "create"
  )
  or (
    // Processes spawned by the WMI provider service
    InitiatingProcessFileName =~ "wmiprvse.exe"
    and FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe",
                       "cscript.exe", "wscript.exe", "rundll32.exe")
  )
| project Timestamp, DeviceName, AccountName,
          FileName, ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine, ReportId

Detection 3c: Suspicious SMB Activity

Detect processes that write executables or scripts to remote admin shares (C$, ADMIN$), a common lateral movement pattern:

// DETECTION 3c: Suspicious SMB File Writes to Admin Shares
// MITRE ATT&CK: T1021.002 (Remote Services: SMB/Windows Admin Shares)
//               T1570 (Lateral Tool Transfer)
// Why: During lateral movement, attackers copy malicious executables or
//   scripts to remote admin shares (C$, ADMIN$, IPC$) to stage them
//   for execution on the target machine. This is often paired with
//   PsExec or scheduled task creation.
//
// Detection logic:
//   ActionType == "FileCreated" – a new file was written
//   ShareName in (ADMIN$, C$, IPC$) – administrative shares only
//   File extension filter – executables and scripts (not docs or data)
//
// Output:
//   FolderPath – where the file was written (ADMIN$ = Windows directory)
//   InitiatingProcessFileName – what process wrote the file
//   InitiatingProcessAccountName – the user/account performing the write
//
// False positives: SCCM, PDQ Deploy, and WSUS write to admin shares.
//   Exclude by InitiatingProcessAccountName or InitiatingProcessFileName.
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where ShareName in~ ("ADMIN$", "C$", "IPC$")
| where FileName endswith ".exe"
    or FileName endswith ".dll"
    or FileName endswith ".ps1"
    or FileName endswith ".bat"
    or FileName endswith ".vbs"
| project Timestamp, DeviceName, AccountName,
          FileName, FolderPath, ShareName,
          InitiatingProcessFileName,
          InitiatingProcessAccountName, ReportId

Validate and Tune

Run each query over a 7-day window and review all results
Identify legitimate PsExec usage by your IT team and add exclusions by AccountName or DeviceName
Confirm WMI detections fire when wmiprvse.exe spawns interpreters, not when it runs benign WMI queries
For SMB file writes, check if your software deployment system (SCCM, PDQ Deploy) writes to admin shares: exclude as needed

⚠️ Important: Lateral movement detections are inherently noisy in environments where IT operations rely on PsExec or WMI for remote administration. Budget extra time for tuning. A week of baseline data is the minimum before promoting these to production detection rules.

Step 4 · Create a Custom Detection Rule

Now that your KQL queries are validated, you will promote one to a scheduled custom detection rule. Custom detection rules run on a schedule, automatically generating alerts and populating the incident queue. You will configure the rule name, frequency, entity mapping, and alert enrichment.

Prepare Your Query for Detection

Custom detection rules require specific column names for entity mapping. Modify your query to include the required columns:

// PRODUCTION-READY: Encoded PowerShell Detection Rule Query
// MITRE ATT&CK: T1059.001 (Command and Scripting Interpreter: PowerShell)
// Purpose: This is the final query optimized for promotion to a custom
//   detection rule. It includes entity mapping columns required by Defender XDR.
//
// Entity mapping columns (configure in portal when creating rule):
//   DeviceId + DeviceName  → Device entity (enables device page, isolation)
//   AccountObjectId + AccountName + AccountDomain → User entity
//   ReportId → unique event identifier for deduplication
//   AlertTitle → dynamic alert name that includes device and user context
//
// Scheduling: Set frequency to 1 hour, lookback to 1 hour (matches ago(1h)).
//   The query runs every hour and scans the last hour of data.
// Service account exclusions: Replace svc_sccm/svc_intune with YOUR accounts.
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "-EncodedCommand", "-enc ", "-ec ", "-e ",
    "FromBase64String"
  )
| where AccountName !in~ ("svc_sccm", "svc_intune")
// Entity mapping columns (required for custom detection)
| extend AlertTitle = strcat("Encoded PowerShell on ", DeviceName,
                              " by ", AccountName)
| project Timestamp, ReportId,
          // Device entity
          DeviceId, DeviceName,
          // Account entity
          AccountObjectId, AccountName, AccountDomain,
          // Process entity
          FileName, ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          AlertTitle

Create the Rule in the Portal

In Advanced Hunting, paste the final query and click Run query to validate it returns results
Click Create detection rule in the toolbar
On the Detection rule details page:
- Rule name: Encoded PowerShell Execution Detected
- Alert severity: Medium
- Category: Execution
- Description: Detects PowerShell processes launched with base64-encoded commands, commonly used by malware stagers and C2 frameworks
- MITRE ATT&CK: T1059.001 (Command and Scripting Interpreter: PowerShell)
On the Set actions page, leave defaults for now (we will configure automated response in Step 6)
On the Scope page:
- Frequency: Every 1 hour (or as frequently as every 15 minutes for critical rules)
- Lookback: 1 hour (should match the ago() value in your query)
On the Entity mapping page:
- Map Device to DeviceId and DeviceName
- Map User to AccountObjectId, AccountName, AccountDomain
Review and click Create

Verify Rule Creation

Navigate to Hunting → Custom detection rules
Confirm your rule appears with Status: On
Click the rule to verify the Last run timestamp and Next run schedule
Optionally click Run now to trigger an immediate execution

💡 Pro Tip: Always include ReportId in your query projection. Defender XDR uses ReportId as the unique event identifier for alert correlation and deduplication. Without it, you may see duplicate alerts for the same event.

Step 5 · Configure Automated Investigation & Response (AIR)

Automated Investigation and Response (AIR) allows Defender XDR to automatically investigate alerts, determine the scope of a threat, and take remediation actions. Before wiring your custom detection rules to auto-response actions, you need to ensure AIR is properly configured with the right automation levels and device groups.

Understand Automation Levels

Defender XDR offers four automation levels:

No automated response: All actions require manual approval: suitable for initial rollout
Semi: require approval for any remediation: AIR investigates but pauses before taking action
Semi: require approval for non-temp folders: Auto-remediates files in temp directories; pauses for others
Full: remediate threats automatically: AIR investigates and remediates without analyst approval: recommended for mature SOCs

Configure Device Groups

Go to Settings → Endpoints → Device groups
Click + Add device group
Configure the following:
- Name: High-Value Servers
- Automation level: Semi: require approval for any remediation
- Members: Define a rule: Device tag equals HVA
Create a second group:
- Name: Standard Workstations
- Automation level: Full: remediate threats automatically
- Members: Define a rule: OS Platform equals Windows10+ and Device tag does not equal HVA
Click Done and allow up to 30 minutes for device group membership to recalculate

Enable Auto-Investigation in Defender Settings

Go to Settings → Endpoints → Advanced features
Ensure Automated Investigation is toggled On
Ensure Automatically resolve alerts is toggled On (this closes alerts when AIR determines them remediated)
Ensure Allow or block file is toggled On (required for file quarantine actions)

⚠️ Important: Setting high-value servers to "Semi" automation is a common best practice. Full automation on domain controllers or financial systems carries risk if a false positive triggers automatic isolation. Use differentiated automation levels based on business criticality.

💡 Pro Tip: Tag your devices in Defender for Endpoint using Settings → Endpoints → Device inventory or via the MDE API. Tags make device group membership rules clean and maintainable. Use tags like HVA, PAW, TestLab to segment your fleet.

Step 6 · Build Auto-Response Actions

With AIR configured, you can now attach automated response actions directly to your custom detection rules. These actions execute immediately when the rule fires, providing near-real-time containment. Defender XDR supports four primary auto-response actions on devices: isolate, quarantine file, block URL/IP, and collect investigation package.

Edit Your Custom Detection Rule

Navigate to Hunting → Custom detection rules
Click on Encoded PowerShell Execution Detected
Click Edit in the toolbar
Navigate to the Actions tab

Action 1: Isolate Device

Under Device actions, check Isolate device
Select Full isolation (blocks all network traffic except the Defender for Endpoint service channel)
This action maps to the DeviceId entity from your query
When triggered, the device is immediately isolated and an analyst can release it from the device page

Action 2: Quarantine File

Under File actions, check Quarantine file
Map to the file SHA1 from InitiatingProcessSHA1 or add SHA1 to your query projection
When a file is quarantined, it is removed from all devices in your organization and stored in Defender quarantine

Action 3: Block URL/IP via Indicators

If your detection query joins with DeviceNetworkEvents and surfaces a malicious URL or IP, you can create a block indicator automatically:

Navigate to Settings → Endpoints → Indicators
Click + Add indicator and select URLs/Domains or IP addresses
For automated blocking, use the Defender XDR API to create indicators programmatically when custom detections fire
Set the Action to Block and remediate
Set Severity and Expiration as appropriate

Action 4: Collect Investigation Package

Under Device actions, check Collect investigation package
This action gathers forensic artefacts from the device including running processes, registry hives, network connections, and event logs
The package is uploaded to the Defender portal and can be downloaded by analysts for offline analysis
Use this for medium-severity detections where isolation would be disruptive but immediate forensic data is needed

Save the Rule

Review all configured actions on the summary page
Click Save
Verify the actions column now shows icons for the configured response actions

💡 Pro Tip: Start with Collect investigation package as your only auto-response action for the first week. Review the alerts that fire and confirm they are true positives before enabling Isolate device. This incremental approach prevents auto-isolating production devices due to false-positive detections.

⚠️ Important: Device isolation is powerful but disruptive. It removes the device from the network immediately. Ensure your auto-isolation rules have been thoroughly tested and false-positive exclusions are in place before enabling this action on production endpoints.

Step 7 · Create Suppression Rules

Even well-tuned detection rules will occasionally fire on legitimate activity. Suppression rules let you silence specific alert instances without disabling the entire detection rule. This keeps your SOC focused on genuine threats while preserving your detection coverage for scenarios you haven't excluded.

When to Use Suppression vs. Query Exclusions

Query exclusion (where clause): Use when you can categorically exclude an entity: e.g., a service account that always runs encoded PowerShell legitimately
Suppression rule: Use when the exclusion is conditional, time-bound, or you want to keep the telemetry for auditing but suppress the alert
Best practice: Start with suppression rules, then promote stable suppressions to query exclusions during your next rule review cycle

Create a Suppression Rule from an Alert

Navigate to Incidents & alerts → Alerts
Find a false-positive alert from your custom detection rule
Open the alert and click Create suppression rule (or Manage alert → Suppress alert)
Configure the suppression conditions:
- IOC type: Select the indicator type (e.g., File name, Command line, Device name)
- Value: Enter the specific value to suppress (e.g., svc_deploy for a deployment service account)
- Scope: Choose This alert rule only or Any alert rule that matches
Set an expiration:
- Never expire: For permanent known-good activity
- Custom date: For time-bound maintenance windows or temporary exclusions
Add a comment explaining why this suppression exists (critical for audit trail)
Click Save

Create a Suppression Rule from Settings

Navigate to Settings → Microsoft Defender XDR → Alert tuning (or Alert suppression)
Click + Add new rule
Select the alert title pattern to match (e.g., Encoded PowerShell Execution Detected)
Define conditions using AND/OR logic:
- AccountName equals svc_backup AND
- DeviceName starts with SRV-BACKUP
Click Save

Review Existing Suppression Rules

Periodically review all suppression rules in Settings → Alert tuning
Check for expired rules that should be cleaned up
Validate that suppressed alerts are genuinely benign: attackers may mimic suppressed patterns
Document all active suppressions in your SOC runbook

💡 Pro Tip: Set a calendar reminder to review suppression rules monthly. Stale suppressions are a common source of detection blind spots. When reviewing, check whether the suppressed entity (service account, device) still exists and still performs the same activity.

Step 8 · Validate Detection Accuracy

The final step is end-to-end validation. You will generate synthetic test events on a test endpoint, wait for the custom detection rule to fire, verify the alert appears in the incident queue, and confirm that automated response actions were triggered. Then you will tune the rule based on the results.

Generate Test Events: Encoded PowerShell

On your test endpoint (not a production device), run the following PowerShell commands to simulate encoded command execution:

# ============================================================
# SIMULATED TEST EVENTS: Encoded PowerShell
# Purpose: Generate endpoint telemetry for detection rule validation.
# IMPORTANT: Run these ONLY on a designated test endpoint, never production.
# These commands are benign but generate the same MDE telemetry as real attacks.
# ============================================================

# Test 1: Encoded Command
# Creates a Base64-encoded "Write-Host" command and runs it via -EncodedCommand.
# The MDE sensor will log this as a powershell.exe process with -EncodedCommand
# in ProcessCommandLine, which should trigger Detection 2a.
$command = 'Write-Host "Detection test. encoded command"'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
powershell.exe -EncodedCommand $encoded

# Test 2: Download Cradle
# Attempts to download and execute a script from localhost (will fail safely).
# The MDE sensor logs the full command line including IEX + DownloadString,
# which should trigger Detection 2b.
powershell.exe -Command "IEX(New-Object Net.WebClient).DownloadString('http://127.0.0.1/test.ps1')"

# Test 3: Obfuscated Command
# Uses backtick insertion to break apart known keywords.
# The MDE sensor captures the full command line with backticks intact,
# which should trigger Detection 2c (special character density check).
powershell.exe -Command "I`E`X (N`e`w-O`b`j`e`c`t N`e`t.W`e`b`C`l`i`e`n`t).D`o`w`n`l`o`a`d`S`t`r`i`n`g('http://127.0.0.1/test')"

Generate Test Events: Lateral Movement

Simulate PsExec and WMI activity (use only against your test lab machines):

# ============================================================
# SIMULATED TEST EVENTS: Lateral Movement (PsExec & WMI)
# Purpose: Generate endpoint telemetry for lateral movement detection rules.
# IMPORTANT: Run ONLY on test lab machines. PsExec requires the SysInternals
#   binary to be downloaded first. WMI commands execute locally as stand-ins.
# ============================================================

# Test 1: PsExec local execution
# -accepteula bypasses the EULA prompt; -s runs as SYSTEM account.
# The MDE sensor logs psexec.exe process creation + the psexesvc service creation,
# which should trigger Detection 3a.
.\PsExec.exe -accepteula -s cmd.exe /c "echo Detection Test"

# Test 2: WMI local process creation
# Creates a cmd.exe process via WMI – the MDE sensor will see wmiprvse.exe
# as the parent process of cmd.exe, which triggers Detection 3b.
wmic process call create "cmd.exe /c echo WMI-Test"

# Test 3: WMI remote targeting (using localhost as safe stand-in)
# The /node:127.0.0.1 parameter simulates targeting a remote host.
# In production, this would target another machine’s IP or hostname.
# The MDE sensor logs the wmic.exe command line with /node: + process call create.
wmic /node:127.0.0.1 process call create "cmd.exe /c echo WMI-Remote-Test"

Wait for Detection Rule Execution

Custom detection rules run on their configured schedule (e.g., every 1 hour)
To speed up testing, navigate to Hunting → Custom detection rules
Select your rule and click Run now
Wait 2-5 minutes for the rule to execute and alerts to appear

Verify Alert and Incident Creation

Navigate to Incidents & alerts → Incidents
Look for a new incident correlated to your custom detection
Open the incident and verify:
- The alert title matches your template
- The device entity is correctly mapped
- The user entity is correctly mapped
- The MITRE ATT&CK technique is displayed
- The evidence tab shows the relevant process and command line

Verify Automated Response Actions

Open the alert and navigate to the Investigation tab
Confirm that the automated investigation was triggered
Check the Action center (Actions & submissions → Action center) for pending or completed actions
Verify specific actions:
- Device isolation: Check the device page: it should show "Isolated" status
- Investigation package: Should appear as "Collecting" or "Available" on the device page
- File quarantine: Check Actions → History for the quarantine action
If using a test device, release from isolation after verification

Tune and Iterate

Review the alert for accuracy: did the rule fire on the correct events?
Check for false negatives: manually run the simulated commands again and verify the query catches them in Advanced Hunting
If the query is too broad, add exclusions; if too narrow, broaden the has_any conditions
Run the query over 30 days to estimate alert volume in production
Document your detection rule, expected alert volume, and tuning decisions in your SOC wiki

// ESTIMATE DETECTION RULE ALERT VOLUME (30-day projection)
// Purpose: Before deploying a detection rule to production, run this query
//   to estimate how many alerts it would generate per day over a 30-day period.
//   This helps with SOC capacity planning and false positive assessment.
//
// Output columns (per day):
//   TotalEvents    – number of times the detection would fire
//   UniqueDevices  – how many distinct endpoints triggered it
//   UniqueUsers    – how many distinct user accounts triggered it
//
// Target thresholds:
//   TotalEvents < 10/day    = manageable for manual triage
//   TotalEvents 10-50/day   = consider adding exclusions or raising thresholds
//   TotalEvents > 50/day    = too noisy for production; needs significant tuning
//
// If UniqueDevices or UniqueUsers is very low but TotalEvents is high,
//   a single device/user is generating most alerts → likely a false positive
//   candidate for a suppression rule.
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
    "-EncodedCommand", "-enc ", "-ec ", "-e ",
    "FromBase64String"
  )
| where AccountName !in~ ("svc_sccm", "svc_intune")
| summarize
    TotalEvents = count(),
    UniqueDevices = dcount(DeviceName),
    UniqueUsers = dcount(AccountName)
    by bin(Timestamp, 1d)
| sort by Timestamp asc

💡 Pro Tip: Use the Atomic Red Team framework for repeatable, structured attack simulation. Atomic tests are mapped to MITRE ATT&CK techniques and provide reliable telemetry for validating your custom detections. For encoded PowerShell, use Atomic Test T1059.001-1.

Summary

What You Accomplished

Explored the Advanced Hunting schema and ran baseline queries against DeviceProcessEvents, DeviceEvents, and DeviceNetworkEvents
Wrote three KQL detections for suspicious PowerShell: encoded commands, download cradles, and obfuscated scripts
Wrote three KQL detections for lateral movement: PsExec execution, WMI remote process creation, and SMB admin share abuse
Promoted a KQL query to a scheduled custom detection rule with proper entity mapping, MITRE ATT&CK tagging, and alert enrichment
Configured Automated Investigation and Response (AIR) with differentiated automation levels per device group
Attached auto-response actions (isolate device, quarantine file, collect investigation package) to your custom detection rule
Created suppression rules to silence known false positives while preserving detection coverage
Validated end-to-end detection accuracy by generating synthetic events, verifying alerts, and confirming automated actions

Cost Notes

Custom detection rules run against your existing Advanced Hunting data: no additional cost beyond your M365 E5 or MDE P2 license
Automated response actions (isolation, quarantine) are included in the MDE P2 license
Advanced Hunting data is retained for 30 days by default; extending retention requires Microsoft Sentinel integration
Custom detection rules are limited to 50 rules per tenant for the hourly frequency tier: plan your rule portfolio carefully

Cleanup Steps

Release isolated devices: Go to the device page → click Release from isolation
Restore quarantined files: Go to Actions & submissions → Action center → find the quarantine action → Undo
Disable test rules: If this was a lab exercise, navigate to Custom detection rules and toggle the rule Off or delete it
Remove test suppression rules: Go to Settings → Alert tuning and delete any lab-specific suppressions
Remove test indicators: If you created URL/IP block indicators, remove them from Settings → Indicators

Next Steps

Next Lab: Incident Response: Investigate a Simulated APT Attack
Build additional custom detections for your organization's unique threat landscape (e.g., ransomware precursors, data exfiltration patterns)
Integrate custom detection alerts with Microsoft Sentinel for long-term retention and cross-product correlation
Create a detection engineering lifecycle: develop → test → deploy → monitor → tune → retire
Explore the Defender XDR API for programmatic rule management and CI/CD-based detection-as-code workflows

Resource	Description
Custom detections overview: Microsoft Defender XDR	Overview of custom detection capabilities in the Defender XDR portal
Create and manage custom detection rules	Build automated detection rules from advanced hunting queries
Advanced hunting overview: Microsoft Defender XDR	Proactively search for threats using KQL across workloads
Advanced hunting schema reference	Complete reference for tables and columns in the hunting schema
Automated investigation and response in Microsoft Defender for Endpoint	Configure automated investigation and remediation for endpoint alerts
Automation levels in automated investigation and remediation	Understand and configure automation levels for incident response
Manage alert suppression rules	Create rules to suppress known benign or expected alerts
Respond to your first incident in Microsoft Defender XDR	Step-by-step guide to investigating your first XDR incident