You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-defender-use-custom-rules.md
+14-3Lines changed: 14 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -108,17 +108,28 @@ For editable queries, more options are available:
108
108
109
109
## Create custom analytics and detection rules
110
110
111
-
To help discover threats and anomalous behaviors in your environment, you can create customized detection rules.
111
+
To help discover threats and anomalous behaviors in your environment, you can create customized detection rules. There are two kinds:
112
+
- Analytics rules - to generate detections from rules that query data that is ingested through Microsoft Sentinel
113
+
- Custom detection rules - to generate detections from rules that query data from Defender XDR or from both Microsoft Sentinel and Defender XDR
114
+
115
+
116
+
##### Analytics rules
112
117
113
118
For analytics rules that apply to data ingested through the connected Microsoft Sentinel workspace, select **Manage rules > Create analytics rule**.
114
119
115
120
:::image type="content" source="/defender/media/advanced-hunting-unified-rules.png" alt-text="Screenshot of the options to create custom analytics or detections in the Microsoft Defender portal" lightbox="/defender/media/advanced-hunting-unified-rules.png":::
116
121
117
122
The **Analytics rule wizard** appears. Fill up the required details as described in [Analytics rule wizard—General tab](/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab).
118
123
119
-
You can also create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information.
120
124
121
-
In custom detection rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs, see [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
125
+
##### Custom detection rules
126
+
You can create custom detection rules that query data from both Microsoft Sentinel and Defender XDR tables. Select **Manage rules > Create custom detection**. Read [Create and manage custom detection rules](custom-detection-rules.md) for more information.
127
+
128
+
129
+
In both custom detection and analytics rule creation, you can only query data ingested as analytics logs (that is, not as basic logs or auxiliary logs. See [log management plans](/azure/sentinel/log-plans#log-management-plans) to check the different tiers) otherwise the rule creation won't proceed.
122
130
123
131
If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between **Create custom detection** and **Create analytics rule**.
124
132
133
+
134
+
> [!NOTE]
135
+
> If a Defender XDR table is not set up to stream to log analytics in Microsoft Sentinel but is recognized as a standard table in Microsoft Sentinel, an analytics rule can be created successfully but the rule won't run correctly since no data is actually available in Microsoft Sentinel. For these cases, use the custom detection rule wizard instead.
0 commit comments