You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expanded and reorganized the documentation to clarify required roles and permissions for managing custom detections in Microsoft Defender and Microsoft Sentinel. Updated instructions for required columns in detection queries and improved guidance on asset identifiers and user actions.
Copy file name to clipboardExpand all lines: defender-xdr/custom-detection-rules.md
+14-8Lines changed: 14 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,23 +38,29 @@ Custom detection rules are rules you design and tweak using [advanced hunting](a
38
38
> [!IMPORTANT]
39
39
> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
40
40
41
-
To manage custom detections, you need to be assigned one of these roles:
41
+
To manage custom detections, you need roles that let you manage the data that these detections target. For example, to manage custom detections on multiple data sources (Microsoft Defender and Microsoft Sentinel, or multiple Defender workloads), you need all the applicable Defender and Sentinel roles. For more information, see the following sections.
42
+
43
+
### Microsoft Defender
44
+
To manage custom detections on Microsoft Defender data, you need to be assigned one of these roles:
42
45
43
46
-**Security settings (manage)** - Users with this [Microsoft Defender XDR permission](manage-rbac.md) can manage security settings in the Microsoft Defender portal.
44
47
45
48
-**Security Administrator** - Users with this [Microsoft Entra role](/azure/active-directory/roles/permissions-reference#security-administrator) can manage security settings in the Microsoft Defender portal and other portals and services.
46
49
47
50
-**Security Operator** - Users with this [Microsoft Entra role](/azure/active-directory/roles/permissions-reference#security-operator) can manage alerts and have global read-only access to security-related features, including all information in the Microsoft Defender portal. This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. If you have RBAC configured, you also need the **Manage Security Settings** permission for Defender for Endpoint.
48
51
49
-
-**Microsoft Sentinel Contributor** - Users with this [Azure role](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-contributor) can manage Microsoft Sentinel SIEM workspace data, including alerts and detections. You can assign this role on a specific primary workspace, Azure resource group, or an entire subscription.
50
-
51
-
You can manage custom detections that apply to data from specific Microsoft Defender XDR solutions if you have the right permissions for them. For example, if you only have manage permissions for Microsoft Defender for Office 365, you can create custom detections using `Email*` tables but not `Identity*` tables.
52
+
You can manage custom detections that apply to data from specific Microsoft Defender solutions if you have the right permissions for them. For example, if you only have manage permissions for Microsoft Defender for Office 365, you can create custom detections using `Email*` tables but not `Identity*` tables.
52
53
53
54
Likewise, since the `IdentityLogonEvents` table holds authentication activity information from both Microsoft Defender for Cloud Apps and Defender for Identity, you need to have manage permissions for both services to manage custom detections querying the said table.
54
55
55
56
> [!NOTE]
56
57
> To manage custom detections, Security Operators must have the Manage Security Settings permission in Microsoft Defender for Endpoint if RBAC is turned on.
57
58
59
+
### Microsoft Sentinel
60
+
To manage custom detections on Microsoft Sentinel data, you need to be assigned the **Microsoft Sentinel Contributor** role. Users with this [Azure role](/azure/role-based-access-control/built-in-roles/security#microsoft-sentinel-contributor) can manage Microsoft Sentinel SIEM workspace data, including alerts and detections. You can assign this role on a specific primary workspace, Azure resource group, or an entire subscription.
61
+
62
+
### Managing required permissions
63
+
58
64
To manage required permissions, a Global Administrator can:
59
65
60
66
- Assign the Security Administrator or Security Operator role in [Microsoft 365 admin center](https://admin.microsoft.com/) under **Roles**\>**Security Administrator**.
@@ -77,14 +83,14 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
77
83
78
84
79
85
To create a custom detection rule using Defender XDR data, the query must return the following columns:
80
-
1.`Timestamp` - This column sets the timestamp for generated alerts. The query shouldn't manipulate the `Timestamp` and should return it exactly as it appears in the raw event.
86
+
1.`Timestamp`or `TimeGenerated`- This column sets the timestamp for generated alerts. The query shouldn't manipulate this column and should return it exactly as it appears in the raw event.
81
87
82
-
3.A column or combination of columns that uniquely identify the event in Defender XDR tables:
88
+
3.**For detections based on XDR tables**, a column or combination of columns that uniquely identify the event in these tables:
83
89
- For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
84
90
- For Alert* tables, `Timestamp` must appear in the event
85
91
- For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
86
92
- For all others, `Timestamp` and `ReportId` must appear in the same event
87
-
4.One of the following columns that contain a strong identifier for an impacted asset:
93
+
4.A column that contains a strong identifier for an impacted asset. To map an impacted asset automatically in the wizard, project one of the following columns that contain a strong identifier for an impacted asset:
88
94
-`DeviceId`
89
95
-`DeviceName`
90
96
-`RemoteDeviceName`
@@ -339,7 +345,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul
339
345
- Select **Force password reset** to prompt the user to change their password on the next sign in session.
340
346
- Both the `Disable user` and `Force password reset` options require the user SID, which are in the columns `AccountSid`, `InitiatingProcessAccountSid`, `RequestAccountSid`, and `OnPremSid`.
341
347
342
-
For more details on user actions, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
348
+
For more information on user actions, see [Remediation actions in Microsoft Defender for Identity](/defender-for-identity/remediation-actions).
0 commit comments