Detect Github CLI commands in Microsoft Defender for Endpoint (MDE) Advanced Hunting

I will introduce how to detect the log when issuing CLI commands with Advanced Hunting of Microsoft Defender for Endpoint (MDE). ## Overview of response method - Devices with Microsoft Defender for Endpoint (MDE) onboarded collect device process events. - Attempt to detect collected device process events using Microsoft Defender for Endpoint (MDE) Advanced Hunting custom alerts. - Github is used as a sample to introduce the procedure, but other platforms such as Gitlab and Bitbacket can also be detected as long as information remains in the event of the device process. ## Setting method 1. Create a new query in MDE [Pursuit] > [Advanced Pursuit] and enter the following query contents. <pre class="prettyprint"> DeviceProcessEvents | where Timestamp > ago(12h) | where ProcessCommandLine contains "github.com" | project DeviceId, Timestamp,InitiatingProcessAccountUpn, ProcessCommandLine, ReportId </pre> 2. On the same screen, create a custom alert that detects commands on [Create detection rule]. 3. The items for custom alert settings are as follows. (Enter any value for items that are not specified.) - For "Detection name", I think it would be good to define an easy-to-understand title such as "Githab command issued". - Set "Frequency" to "every 3 hours". - Set "Category" to "Suspicious Activity". - Specify "DeviceID" for "Affected entity". - "Action" does not need to be specified. - Specify any range for "Range". ## Check - Make sure the custom detection you created is registered in Pursuit > Detection Rules in MDE. <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf7rlnMB0VEQMw5Tr2rCiFuiYAf4ia8ktVfKphasI8id6LJjdY0rQOR7FjY2siJz5f7Atf7TgKE80X9vijXf7OI6pG-9qFJaKy2KwHy3IzhYBn2z2Oe3b4HQBZfNxyguQUp0sk41TNnfp89xLDoonc9KxtUPv80xZ1N_U8cc8StCxJoBxW4HpUrRWFWA/s1600/%E5%9B%B31.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="678" data-original-width="1228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjf7rlnMB0VEQMw5Tr2rCiFuiYAf4ia8ktVfKphasI8id6LJjdY0rQOR7FjY2siJz5f7Atf7TgKE80X9vijXf7OI6pG-9qFJaKy2KwHy3IzhYBn2z2Oe3b4HQBZfNxyguQUp0sk41TNnfp89xLDoonc9KxtUPv80xZ1N_U8cc8StCxJoBxW4HpUrRWFWA/s1600/%E5%9B%B31.png"/></a></div> - Send a command to Github and check the operation. - Alerts can be viewed in MDE under [Incidents & Alerts] > [Incidents].