Protective Security Monitoring

Alert monitoring workflows, Secure Score management, ASR rules monitoring, EDR telemetry baselines, and false positive reduction procedures.

Last Updated: 2025-02 Microsoft Defender for Endpoint 13 KQL Queries | 3 Checklists | 7 Procedures

1 Alert Monitoring Workflows

Standardized monitoring workflows ensure consistent coverage across shifts and reduce the risk of missed detections. These checklists and procedures define the minimum operational expectations for SOC analysts monitoring Microsoft Defender for Endpoint.

Shift Handover Procedure

Shift Handover Checklist Required
0 / 7

Daily Monitoring Checklist

Daily Monitoring Checklist Daily
0 / 9

Alert Queue Management

Monitoring Cadence

High/Critical — Real-time (continuous monitoring) | Medium — Every 15 minutes | Low — Hourly sweep | Informational — Daily review batch

2 MDE Secure Score

Microsoft Secure Score for Devices provides a quantitative measure of your endpoint security posture. Regular monitoring and improvement of this score reduces attack surface and strengthens defensive coverage across the fleet.

Secure Score Review Procedure

  1. Navigate to Microsoft 365 Defender portal → Secure Score
  2. Review current Exposure Score (lower is better) and Secure Score for Devices
  3. Identify top security recommendations sorted by impact
  4. Assess implementation feasibility for each recommendation
  5. Create remediation tickets for approved recommendations
  6. Track implementation progress weekly
  7. Report Secure Score trends to management monthly

Devices Not Meeting Secure Configuration

Devices Not Meeting Secure Configuration DeviceTvmSecureConfigurationAssessment Posture

Identifies the top 20 non-compliant secure configurations across the device fleet. Groups by configuration ID and name with a count of non-compliant devices and a sample list of affected device names.

DeviceTvmSecureConfigurationAssessment
| where IsCompliant == 0
| where IsApplicable == 1
| summarize NonCompliantCount = count(),
            Devices = make_set(DeviceName, 10)
    by ConfigurationId, ConfigurationName, ConfigurationCategory
| sort by NonCompliantCount desc
| take 20
Expected Output

Top 20 non-compliant configurations across the fleet. Each row includes the configuration ID, name, category, count of non-compliant devices, and a sample of up to 10 affected device names.

When to Use

Weekly secure posture review. Prioritize remediation tickets based on the non-compliant count to maximize security improvement per remediation effort.

Configuration Compliance Trend

Configuration Compliance Trend DeviceTvmSecureConfigurationAssessment Trending

Calculates the daily compliance percentage over the past 30 days. Tracks the ratio of compliant configurations to total applicable configurations, providing a trend line for security posture improvement.

DeviceTvmSecureConfigurationAssessment
| where Timestamp > ago(30d)
| summarize CompliantCount = countif(IsCompliant == 1),
            TotalCount = count()
    by bin(Timestamp, 1d)
| extend ComplianceRate = round(CompliantCount * 100.0 / TotalCount, 1)
| project Timestamp, ComplianceRate, CompliantCount, TotalCount
| sort by Timestamp asc
Expected Output

Daily compliance percentage over 30 days. Each row includes the date, compliance rate, compliant count, and total count for trending posture improvement over time.

When to Use

Trending posture improvement. Include in monthly management reports to demonstrate security posture trajectory and the impact of remediation efforts.

3 ASR Rules Monitoring

Attack Surface Reduction (ASR) rules are critical preventive controls in Microsoft Defender for Endpoint. Monitoring ASR events ensures rules are operating as expected, identifies candidates for mode promotion (Audit to Block), and surfaces potential business impact from blocked legitimate activities.

ASR Rules Reference

GUID Rule Name Recommended Mode
56a863a9-875e-4185-98a7-b882c64b5ce5 Block abuse of exploited vulnerable signed drivers Block
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Block Adobe Reader from creating child processes Block
d4f940ab-401b-4efc-aadc-ad5f3c50688a Block all Office applications from creating child processes Block
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block credential stealing from LSASS Block
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block executable content from email client and webmail Block
01443614-cd74-433a-b99e-2ecdc07bfc25 Block executable files from running unless they meet criteria Audit
5beb7efe-fd9a-4556-801d-275e5ffc04cc Block execution of potentially obfuscated scripts Block
d3e037e1-3eb8-44c8-a917-57927947596d Block JavaScript or VBScript from launching downloaded content Block
3b576869-a4ec-4529-8536-b80a7769e899 Block Office applications from creating executable content Block
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Office applications from injecting code into other processes Block
26190899-1602-49e8-8b27-eb1d0a1ce869 Block Office communication apps from creating child processes Block
e6db77e5-3df2-4cf1-b95a-636979351e5b Block persistence through WMI event subscription Block
d1e49aac-8f56-4280-b9ba-993a6d77406c Block process creations originating from PSExec and WMI commands Block
33ddedf1-c6e0-47cb-833e-de6133960387 Block rebooting machine in Safe Mode Block
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block untrusted and unsigned processes that run from USB Block
c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb Block use of copied or impersonated system tools Block
a8f5898e-1dc8-49a9-9878-85004b8a61e6 Block Webshell creation for Servers Block
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Block Win32 API calls from Office macros Block
c1db55ab-c21a-4637-bb3f-a12568109d35 Use advanced protection against ransomware Block

ASR KQL Queries

ASR Events Summary (Last 30 Days)

ASR Events Summary (Last 30 Days) DeviceEvents Overview

Provides a high-level summary of all ASR rule events over the past 30 days, grouped by action type. Use this to understand the overall volume and distribution of ASR activity across the environment.

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| summarize EventCount = count() by ActionType
| sort by EventCount desc
Expected Output

List of all ASR action types with their event counts over the last 30 days. Includes both blocked and audited events for each rule.

When to Use

Weekly ASR review meetings. Provides the baseline view of ASR activity to identify noisy rules and confirm expected coverage across the fleet.

ASR Blocked Events with Process Details

ASR Blocked Events with Process Details DeviceEvents Blocked

Retrieves the most recent 100 ASR blocked events with full process details including file name, folder path, command line, and the initiating process. Critical for investigating what was blocked and determining if the block was appropriate.

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType startswith "Asr"
| where ActionType endswith "Blocked"
| project Timestamp, DeviceName, ActionType, FileName,
         FolderPath, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
| take 100
Expected Output

Last 100 ASR blocked events with timestamps, device names, rule action types, file names, folder paths, command lines, and parent process names for each blocked action.

When to Use

Daily monitoring of ASR blocks. Investigate any unexpected blocks that may indicate either a real attack or a legitimate application being incorrectly blocked.

ASR Audit Events — Candidates for Block Mode

ASR Audit Events — Candidates for Block Mode DeviceEvents Audit

Summarizes ASR rules currently in audit mode, showing event counts, affected device counts, and sample file names. Used to assess whether audit-mode rules are safe to promote to block mode without causing business disruption.

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| where ActionType endswith "Audited"
| summarize AuditCount = count(),
            Devices = dcount(DeviceName),
            SampleFiles = make_set(FileName, 5)
    by ActionType
| sort by AuditCount desc
Expected Output

List of audited ASR rules with event count, number of affected devices, and up to 5 sample file names that triggered each audit event.

When to Use

Monthly ASR rule promotion review. Rules in audit mode with zero or very low legitimate application triggers are candidates for promotion to block mode.

Top ASR-Triggering Applications

Top ASR-Triggering Applications DeviceEvents Analysis

Identifies the top 25 applications that trigger ASR rules most frequently, along with which specific rules they trigger. Useful for identifying applications that may need exclusions or that represent a security risk.

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType startswith "Asr"
| summarize TriggerCount = count(),
            Rules = make_set(ActionType)
    by FileName, FolderPath
| sort by TriggerCount desc
| take 25
Expected Output

Top 25 applications by ASR trigger count, including file name, folder path, total trigger count, and the list of ASR rules each application triggered.

When to Use

Identifying noisy applications for ASR exclusion review. Applications with high trigger counts across multiple rules may need targeted exclusions or further security assessment.

ASR Rule Coverage per Device

ASR Rule Coverage per Device DeviceEvents Coverage

Shows the number of distinct active ASR rules per device, sorted by fewest rules first. Devices with low active rule counts may have incomplete ASR policy deployment and need investigation.

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType startswith "Asr"
| summarize ActiveRules = dcount(ActionType),
            RuleList = make_set(ActionType)
    by DeviceName
| sort by ActiveRules asc
Expected Output

List of devices with their active ASR rule count and the specific rules observed. Devices at the top (fewest rules) are the priority for ASR policy review.

When to Use

Weekly coverage gap analysis. Cross-reference with device groups to identify policy deployment failures or devices that should have additional ASR rules enabled.

4 EDR Telemetry Reference

Microsoft Defender for Endpoint collects telemetry across multiple data tables in Advanced Hunting. Understanding the purpose, key fields, and common use cases for each table is essential for effective threat hunting and alert investigation.

Table Name Description Key Fields Common Use Cases
DeviceProcessEvents Process creation and termination FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256 Suspicious execution, process chains, LOLBins
DeviceNetworkEvents Outbound network connections RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName C2 detection, data exfiltration, lateral movement
DeviceFileEvents File system operations FileName, FolderPath, SHA256, ActionType, FileSize Malware drops, config changes, staging
DeviceRegistryEvents Registry modifications RegistryKey, RegistryValueName, RegistryValueData, ActionType Persistence, config tampering
DeviceLogonEvents Authentication events AccountName, LogonType, RemoteDeviceName, IsLocalAdmin Lateral movement, brute force, anomalous logons
DeviceImageLoadEvents DLL/module loading FileName, FolderPath, SHA256, InitiatingProcessFileName DLL sideloading, injection
DeviceEvents Miscellaneous security events ActionType, AdditionalFields ASR, exploit guard, tamper protection, AMSI
DeviceInfo Device metadata OSPlatform, OSVersion, MachineGroup, PublicIP Asset inventory, compliance

5 Baseline Monitoring KQL Queries

Baseline monitoring identifies deviations from normal environment behavior. These queries compare recent activity against established baselines to surface anomalous processes, network connections, file operations, and authentication patterns that warrant investigation.

Unusual Process Execution (First Seen)

Unusual Process Execution (First Seen) DeviceProcessEvents Baseline

Identifies processes seen for the first time in the last day by comparing against a 30-day baseline. New processes that have never been observed before may indicate malware deployment, unauthorized software, or attacker tools.

let knownProcesses = DeviceProcessEvents
    | where Timestamp between (ago(30d) .. ago(1d))
    | distinct FileName;
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName !in (knownProcesses)
| summarize FirstSeen = min(Timestamp),
            Devices = make_set(DeviceName, 5),
            DeviceCount = dcount(DeviceName),
            CommandLines = make_set(ProcessCommandLine, 3)
    by FileName, InitiatingProcessFileName
| sort by DeviceCount asc
Expected Output

Processes seen for the first time in the last day. Includes file name, parent process, first seen timestamp, sample devices, device count, and sample command lines.

When to Use

Daily baseline deviation check. Processes appearing on a single device are the highest priority for investigation, as they may indicate targeted compromise.

Anomalous Outbound Network Connections

Anomalous Outbound Network Connections DeviceNetworkEvents Network

Detects outbound connections to public IP addresses not seen in the prior 30 days. New external connections may indicate C2 communication, data exfiltration, or newly deployed applications reaching out to the internet.

let baselineIPs = DeviceNetworkEvents
    | where Timestamp between (ago(30d) .. ago(1d))
    | where RemoteIPType == "Public"
    | distinct RemoteIP;
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteIPType == "Public"
| where RemoteIP !in (baselineIPs)
| summarize ConnectionCount = count(),
            Devices = make_set(DeviceName, 5),
            Ports = make_set(RemotePort),
            Processes = make_set(InitiatingProcessFileName)
    by RemoteIP
| sort by ConnectionCount desc
| take 50
Expected Output

Top 50 new public IP addresses contacted in the last 24 hours. Includes connection count, affected devices, destination ports, and the processes initiating connections.

When to Use

Daily network anomaly detection. Cross-reference flagged IPs with threat intelligence feeds. IPs contacted by a single device on unusual ports are highest priority.

Suspicious File Creation in Temp Directories

Suspicious File Creation in Temp Directories DeviceFileEvents File Activity

Detects creation of executable or script files in temporary directories. Malware frequently stages payloads in temp folders before execution. Legitimate software rarely drops executables into these locations.

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (@"\Temp\", @"\tmp\", @"\AppData\Local\Temp", @"C:\Windows\Temp")
| where FileName endswith ".exe" or FileName endswith ".dll"
    or FileName endswith ".ps1" or FileName endswith ".bat"
    or FileName endswith ".vbs" or FileName endswith ".hta"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Expected Output

All executable and script file creations in temp directories over the last 24 hours. Includes timestamps, device names, file details, SHA256 hashes, and the process that created the file.

When to Use

Daily sweep for malware staging. Pay special attention to executables created by browser processes, Office applications, or scripting engines, as these indicate likely payload delivery.

Registry Run Key Modifications

Registry Run Key Modifications DeviceRegistryEvents Persistence

Monitors modifications to common persistence-related registry keys including Run, RunOnce, Shell Folders, and Winlogon. These are frequently abused by attackers to maintain persistence across reboots.

DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (
    @"CurrentVersion\Run",
    @"CurrentVersion\RunOnce",
    @"CurrentVersion\Explorer\Shell Folders",
    @"CurrentVersion\Winlogon"
)
| project Timestamp, DeviceName, RegistryKey, RegistryValueName,
         RegistryValueData, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AccountName
| sort by Timestamp desc
Expected Output

All registry run key modifications in the last 24 hours with the full registry path, value name, value data, and the process and account that made the modification.

When to Use

Daily persistence monitoring. Correlate with process and file events to build a complete picture of potential persistence mechanisms being established by suspicious actors.

Failed Logon Attempts Spike

Failed Logon Attempts Spike DeviceLogonEvents Authentication

Detects devices with more than 10 failed logon attempts in a single hour, which may indicate brute force attacks, password spraying, or misconfigured services. Also captures the unique accounts targeted.

DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonFailed"
| summarize FailedCount = count(),
            UniqueAccounts = dcount(AccountName),
            Accounts = make_set(AccountName, 10)
    by DeviceName, bin(Timestamp, 1h)
| where FailedCount > 10
| sort by FailedCount desc
Expected Output

Devices with more than 10 failed logon attempts per hour. Includes device name, time bucket, failure count, number of unique accounts, and a sample of the targeted account names.

When to Use

Daily authentication monitoring. High failure counts against multiple unique accounts suggest password spraying. Failures against a single account suggest brute force or lockout issues.

Unsigned DLL Loads in System Processes

Unsigned DLL Loads in System Processes DeviceImageLoadEvents DLL Injection

Identifies DLLs loaded by critical system processes (svchost, lsass, services, explorer) from outside the Windows directory. This pattern is commonly associated with DLL sideloading and process injection attacks.

DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in ("svchost.exe", "lsass.exe", "services.exe", "explorer.exe")
| where InitiatingProcessFolderPath startswith @"C:\Windows\System32"
| where not(FolderPath startswith @"C:\Windows")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256,
         InitiatingProcessFileName, InitiatingProcessFolderPath
| sort by Timestamp desc
Expected Output

DLLs loaded from non-Windows paths by system-critical processes. Includes timestamps, device names, DLL file details, SHA256 hashes, and the system process that loaded the DLL.

When to Use

Daily DLL injection detection. Any results from this query should be treated as high priority and investigated immediately, as legitimate DLL loads into system processes should originate from Windows directories.

PowerShell Encoded Command Execution

PowerShell Encoded Command Execution DeviceProcessEvents Obfuscation

Detects PowerShell execution using encoded commands or Base64 conversion. Encoded PowerShell is a common technique used by attackers to bypass command-line logging and evade signature-based detections.

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-EncodedCommand", "-e ", "FromBase64")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Expected Output

All encoded PowerShell executions in the last 24 hours with timestamps, device names, full command lines, user accounts, and parent process details.

When to Use

Daily obfuscation detection. Decode the Base64 payload for analysis. Legitimate encoded PowerShell (e.g., SCCM, DSC) should be documented in the approved software list.

Tamper Protection Events

Tamper Protection Events DeviceEvents Tamper Protection

Monitors tamper protection events which fire when something attempts to modify or disable Defender security settings. Tamper protection alerts are high-confidence indicators of malicious activity attempting to weaken defenses.

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "TamperProtection"
| project Timestamp, DeviceName,
         TamperAction = tostring(AdditionalFields.TamperAction),
         TamperTarget = tostring(AdditionalFields.TamperTarget),
         InitiatingProcessFileName, AccountName
| sort by Timestamp desc
Expected Output

All tamper protection events over the last 7 days. Includes timestamps, device names, the specific tamper action attempted, the target setting, the process that attempted the modification, and the account used.

When to Use

Weekly tamper protection review. Any tamper protection event should be treated as a potential indicator of compromise and escalated for immediate investigation.

6 Alert Tuning Procedures

Alert tuning reduces false positive noise while maintaining detection coverage. A disciplined tuning process ensures that suppression rules are well-documented, regularly reviewed, and do not inadvertently mask real threats.

Tuning Procedure Steps

  1. Identify alert generating excessive false positives (>20% FP rate over 7 days)
  2. Analyze FP patterns — common file, process, path, or user
  3. Determine appropriate tuning action (suppression, exclusion, custom detection modification)
  4. Document tuning rationale and expected impact
  5. Implement tuning in MDE portal (suppression rules, indicators with Allow action)
  6. Monitor for 7 days to validate tuning effectiveness
  7. Verify true positives are not being suppressed

Alert Quality Metrics

Metric Description Target Formula
True Positive Rate Percentage of alerts that are actual threats >80% TP / (TP + FP) * 100
False Positive Rate Percentage of alerts that are not threats <20% FP / (TP + FP) * 100
MTTD (Mean Time to Detect) Average time from threat occurrence to alert <1 hour Sum(detection times) / count
MTTT (Mean Time to Triage) Average time from alert to initial assessment <15 min (High) Sum(triage times) / count

7 False Positive Reduction

Systematic false positive reduction improves analyst efficiency, reduces alert fatigue, and allows the team to focus on genuine threats. This section provides a decision tree for FP classification and a documentation template for suppression rules.

FP Decision Tree

FP Documentation Template

False Positive Documentation Checklist Required
0 / 8
Exclusion Review

All suppression rules and exclusions must be reviewed quarterly. Stale exclusions may hide real threats. Maintain an exclusion inventory with justifications and expiry dates.