You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.
37
+
38
+
> [!TIP]
39
+
> Alerts raised by custom detections are available over alerts and incident APIs. For more information, see [Supported Microsoft Defender XDR APIs](api-supported.md).
40
+
41
+
### View existing rules
42
+
43
+
To view all existing custom detection rules, navigate to **Hunting** > **Custom detection rules**. The page lists all the rules with the following run information:
44
+
45
+
-**Last run** - When a rule was last run to check for query matches and generate alerts
46
+
-**Last run status** - Whether a rule ran successfully
47
+
-**Next run** - The next scheduled run
48
+
-**Status** - Whether a rule has been turned on or off
49
+
50
+
### View rule details, modify rule, and run rule
51
+
52
+
To view comprehensive information about a custom detection rule, go to **Hunting** > **Custom detection rules** and then select the name of rule. You can then view general information about the rule, including information, its run status, and scope. The page also provides the list of triggered alerts and actions.
53
+
54
+
:::image type="content" source="/defender/media/custom-detect-rules-view.png" alt-text="Screenshot of the Custom detection rule details page in the Microsoft Defender portal." lightbox="/defender/media/custom-detect-rules-view.png":::
55
+
56
+
You can also take the following actions on the rule from this page:
57
+
58
+
-**Run** - Run the rule immediately. This also resets the interval for the next run.
59
+
-**Edit** - Modify the rule without changing the query.
60
+
-**Modify query** - Edit the query in advanced hunting.
61
+
-**Turn on** / **Turn off** - Enable the rule or stop it from running.
62
+
-**Delete** - Turn off the rule and remove it.
63
+
64
+
### View and manage triggered alerts
65
+
66
+
In the rule details screen (**Hunting**\>**Custom detections**\>**[Rule name]**), go to **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:
67
+
68
+
- Manage the alert by setting its status and classification (true or false alert)
69
+
- Link the alert to an incident
70
+
- Run the query that triggered the alert on advanced hunting
71
+
72
+
### Review actions
73
+
74
+
In the rule details screen (**Hunting**\>**Custom detections**\>**[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.
75
+
76
+
> [!TIP]
77
+
> To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
78
+
79
+
> [!NOTE]
80
+
> Some columns in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft Defender XDR](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
-[Learn the advanced hunting query language](advanced-hunting-query-language.md)
87
+
-[Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md)
88
+
-[Microsoft Graph security API for custom detections](/graph/api/resources/security-api-overview?view=graph-rest-beta&preserve-view=true#custom-detections)
@@ -132,6 +132,8 @@ With the query in the query editor, select **Create detection rule** and specify
132
132
-**Description** - More information about the component or activity identified by the rule. Strings are sanitized for security purposes so HTML, Markdown, and other code won't work.
133
133
-**Recommended actions** - Additional actions that responders might take in response to an alert.
134
134
135
+
#### Dynamic
136
+
135
137
#### Rule frequency
136
138
137
139
When you save a new rule, it runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals, applying a lookback period based on the frequency you choose:
@@ -271,57 +273,12 @@ After reviewing the rule, select **Create** to save it. The custom detection rul
271
273
>
272
274
> You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.
273
275
274
-
## Manage existing custom detection rules
275
-
276
-
You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.
277
-
278
-
> [!TIP]
279
-
> Alerts raised by custom detections are available over alerts and incident APIs. For more information, see [Supported Microsoft Defender XDR APIs](api-supported.md).
280
-
281
-
### View existing rules
282
-
283
-
To view all existing custom detection rules, navigate to **Hunting** > **Custom detection rules**. The page lists all the rules with the following run information:
284
-
285
-
-**Last run** - When a rule was last run to check for query matches and generate alerts
286
-
-**Last run status** - Whether a rule ran successfully
287
-
-**Next run** - The next scheduled run
288
-
-**Status** - Whether a rule has been turned on or off
289
-
290
-
### View rule details, modify rule, and run rule
291
-
292
-
To view comprehensive information about a custom detection rule, go to **Hunting** > **Custom detection rules** and then select the name of rule. You can then view general information about the rule, including information, its run status, and scope. The page also provides the list of triggered alerts and actions.
293
-
294
-
:::image type="content" source="/defender/media/custom-detect-rules-view.png" alt-text="Screenshot of the Custom detection rule details page in the Microsoft Defender portal." lightbox="/defender/media/custom-detect-rules-view.png":::
295
276
296
-
You can also take the following actions on the rule from this page:
297
-
298
-
-**Run** - Run the rule immediately. This also resets the interval for the next run.
299
-
-**Edit** - Modify the rule without changing the query.
300
-
-**Modify query** - Edit the query in advanced hunting.
301
-
-**Turn on** / **Turn off** - Enable the rule or stop it from running.
302
-
-**Delete** - Turn off the rule and remove it.
303
-
304
-
### View and manage triggered alerts
305
-
306
-
In the rule details screen (**Hunting**\>**Custom detections**\>**[Rule name]**), go to **Triggered alerts**, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:
307
-
308
-
- Manage the alert by setting its status and classification (true or false alert)
309
-
- Link the alert to an incident
310
-
- Run the query that triggered the alert on advanced hunting
311
-
312
-
### Review actions
313
-
314
-
In the rule details screen (**Hunting**\>**Custom detections**\>**[Rule name]**), go to **Triggered actions**, which lists the actions taken based on matches to the rule.
315
-
316
-
> [!TIP]
317
-
> To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
318
-
319
-
> [!NOTE]
320
-
> Some columns in this article might not be available in Microsoft Defender for Endpoint. [Turn on Microsoft Defender XDR](m365d-enable.md) to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft Defender XDR by following the steps in [Migrate advanced hunting queries from Microsoft Defender for Endpoint](advanced-hunting-migrate-from-mde.md).
0 commit comments