KQL Search

Query Details

HomeAI ToolsDevice Query

NRT Auto IR High Impact Alert

Query

# AutoIR High Impact Alert

## Query Information

#### Description
This rule can be deployed in your environment as NRT rule to deal with high severity alerts. This detection can be mapped against the response actions to always contain an incident when Ransomware, Hands-on-keyboard or RunMRU is mentioned in the commandline. This rule can help to reduce the time to contain.

Only implement this if you are sure that the rules in the list will not cause business impact on legitimate activities (or at least have a 90% or above TP ratio).

#### Risk
High alerts do not always take action to contain an incident. This rule helps to map it against response actions to reduce the time to contain.

#### References
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-take-action?view=o365-worldwide


## Defender XDR
```KQL
AlertEvidence 
| where EntityType in ('Machine', 'user')
| where Title has_any ('Ransomware', 'Hands-on-keyboard', 'RunMRU')
| where Severity == 'High'
| project-reorder Timestamp, Title, AlertId, Severity, DeviceId, DeviceName, AccountObjectId
```

Explanation

This query is designed to quickly identify and respond to high-severity security alerts related to potential ransomware attacks, direct human interaction with systems (hands-on-keyboard), or suspicious command-line activities (RunMRU). It focuses on alerts involving machines or users and ensures that these alerts are prioritized for containment actions to minimize potential damage.

Here's a simple breakdown of what the query does:

  1. Data Source: It looks at the AlertEvidence table, which contains information about security alerts.

  2. Filter by Entity Type: It filters the data to only include alerts related to machines or users.

  3. Filter by Alert Title: It further narrows down the alerts to those that mention "Ransomware," "Hands-on-keyboard," or "RunMRU" in their titles.

  4. Filter by Severity: Only alerts with a high severity level are considered.

  5. Select and Order Columns: The query then selects specific columns to display, including the timestamp, title, alert ID, severity, device ID, device name, and account object ID, and orders them in a specified sequence.

The purpose of this query is to ensure that high-risk alerts are quickly identified and mapped to response actions, helping to contain potential incidents more efficiently. However, it should only be implemented if there's confidence that it won't disrupt legitimate business activities, ideally with a true positive rate of 90% or higher.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 4, 2025

Tables

AlertEvidence

Keywords

AlertEvidenceEntityTypeMachineUserTitleSeverityTimestampAlertIdDeviceIdDeviceNameAccountObjectId

Operators

inhas_any==project-reorder

Actions