Skip to content

Commit 3b4caab

Browse files
Ruchika-mittal01Ruchika-mittal01
authored
pencil edit
1 parent 35191e4 commit 3b4caab

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

defender-xdr/custom-detection-rules.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,12 +76,13 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
7676

7777
To create a custom detection rule, the query must return the following columns:
7878
1. `Timestamp` - This column is used to set the timestamp for generated alerts. The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
79-
2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
79+
80+
3. A column or combination of columns that uniquely identify the event in Defender XDR tables:
8081
- For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
8182
- For Alert* tables, `Timestamp` must appear in the event
8283
- For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
8384
- For all others, `Timestamp` and `ReportId` must appear in the same event
84-
3. One of the following columns that contain a strong identifier for an impacted asset:
85+
4. One of the following columns that contain a strong identifier for an impacted asset:
8586
- `DeviceId`
8687
- `DeviceName`
8788
- `RemoteDeviceName`

0 commit comments

Comments
 (0)