Merge pull request #2530 from MicrosoftDocs/maccruz-cdrequired

Ruchika-mittal01 · web-flow · commit 55dcb63dafde · 2025-01-24T02:04:43.000+05:30
Update custom detection requirements
diff --git a/defender-xdr/custom-detection-rules.md b/defender-xdr/custom-detection-rules.md
@@ -71,24 +71,28 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
 
 #### Required columns in the query results
 
-To create a custom detection rule, the query must return the following columns:
 
-- `Timestamp`- Used to set the timestamp for generated alerts
-- `ReportId`- Enables lookups for the original records
-- One of the following columns that identify specific devices, users, or mailboxes:
-  - `DeviceId`
-  - `DeviceName`
-  - `RemoteDeviceName`
-  - `RecipientEmailAddress`
-  - `SenderFromAddress` (envelope sender or Return-Path address)
-  - `SenderMailFromAddress` (sender address displayed by email client)
-  - `RecipientObjectId`
-  - `AccountObjectId`
-  - `AccountSid`
-  - `AccountUpn`
-  - `InitiatingProcessAccountSid`
-  - `InitiatingProcessAccountUpn`
-  - `InitiatingProcessAccountObjectId`
+To create a custom detection rule, the query must return the following columns:
+1. `Timestamp` - Used to set the timestamp for generated alerts
+2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
+      - For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
+      - For Alert* tables, `Timestamp` must appear in the event
+      - For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
+      - For all others, `Timestamp` and `ReportId` must appear in the same event
+3. One of the following columns that contain a strong identifier for an impacted asset:
+      - `DeviceId`
+      - `DeviceName`
+      - `RemoteDeviceName`
+      - `RecipientEmailAddress`
+      - `SenderFromAddress` (envelope sender or Return-Path address)
+      - `SenderMailFromAddress` (sender address displayed by email client)
+      - `RecipientObjectId`
+      - `AccountObjectId`
+      - `AccountSid`
+      - `AccountUpn`
+      - `InitiatingProcessAccountSid`
+      - `InitiatingProcessAccountUpn`
+      - `InitiatingProcessAccountObjectId`
 
 > [!NOTE]
 > Support for additional entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
