You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/create-custom-data-collection-rules.md
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,13 +40,12 @@ To use custom data collection, check that you have the following prerequisites:
40
40
41
41
- A Microsoft Defender for Endpoint P2 license.
42
42
- A connected [Microsoft Sentinel workspace](/azure/sentinel/quickstart-onboard): required for custom data storage and querying. You can currently only connect one Sentinel workspace per Defender for Endpoint tenant for custom data collection.
43
-
- One of the [supported operating systems](#supported-operating-systems).
44
43
- Dynamic tags configured in [Asset Rule Management](/defender-xdr/configure-asset-rules) for device targeting. To use a tag for custom data collection, the tag should be run at least once.
45
44
46
45
### Supported operating systems
47
46
48
47
-**Windows 10 and 11** with a minimum Defender for Endpoint client version of 10.8805.
49
-
-**Windows 10**: Requires enrollment in [Extended Security Updates (ESU) program](/windows/whats-new/extended-security-updates).
48
+
-Windows 10 requires enrollment in [Extended Security Updates (ESU) program](/windows/whats-new/extended-security-updates).
50
49
51
50
### Performance and limits
52
51
@@ -66,8 +65,8 @@ Custom data collection is included with Microsoft Defender for Endpoint P2 licen
66
65
67
66
:::image type="content" source="media/custom-data-collection/custom-data-collection-main-view.png" alt-text="Screenshot of the main Custom Data Collection page." lightbox="media/custom-data-collection/custom-data-collection-main-view.png":::
68
67
69
-
1.On the top right, select the workspace name to change your workspace.
70
-
1. Select **Create rule**, and in the **General Information** section, type a rule name and description, and select **Next**.
68
+
1.To switch your Microsoft Sentinel workspace, select the workspace name on the top right, and select the workspace.
69
+
1. Select **Create rule**. In the **General Information** section, type a rule name and description, and select **Next**.
71
70
72
71
:::image type="content" source="media/create-custom-data-collection-rules/create-custom-data-collection-rule-general.png" alt-text="Screenshot of creating a rule: General Information page." lightbox="media/create-custom-data-collection-rules/create-custom-data-collection-rule-general.png":::
73
72
@@ -104,7 +103,7 @@ If rules aren't working as expected:
104
103
105
104
Review these considerations when monitoring and troubleshooting custom data collection rules:
106
105
107
-
-[Endpoint detection and response (EDR) exclusions may override custom collection rules.
106
+
- Endpoint detection and response (EDR) exclusions may override custom collection rules.
108
107
- Dynamic tags update approximately every hour. Check the **Custom collection** > **Last run time** column for the status.
109
108
110
109
## Edit, delete, and enable or disable custom data collection rules
0 commit comments