You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/create-custom-data-collection-rules.md
+3-6Lines changed: 3 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ To use custom data collection, check that you have the following prerequisites:
51
51
### Performance and limits
52
52
53
53
- Each collection rule can capture up to 25,000 events per device within a 24-hour rolling window. Once the device reaches the limit, telemetry for the specific rule on the specific device stops until the window resets.
54
-
- If the device reaches the threshold early in the cycle, it can take up to 24 hours for telemetry to resume. If the device reaches the limit one hour after the window resets, telemetry resumes after 23 hours.
54
+
- If the device reaches the threshold early in the cycle, it can take up to 24 hours for telemetry to resume. For example, if the device reaches the limit one hour after the window resets, telemetry resumes after 23 hours.
55
55
- If the device reaches the threshold near the end of the window, the delay is shorter. For example, if the device reaches the limit two hours before the window resets, telemetry resumes after two hours.
56
56
- Rule deployment typically takes 20 minutes to one hour.
57
57
- Custom collection operates alongside default Defender for Endpoint configuration without interference.
@@ -78,9 +78,6 @@ Custom data collection is included with Microsoft Defender for Endpoint P2 licen
78
78
1. Add rule conditions to filter the data even further. You can add multiple conditions to refine the data collection. Rule conditions are based on the selected table. For more information, see the respective table link under [Supported event tables](custom-data-collection.md#supported-event-tables).
79
79
80
80
:::image type="content" source="media/create-custom-data-collection-rules/create-custom-data-collection-rule.png" alt-text="Screenshot of creating a rule: Create rule page." lightbox="media/create-custom-data-collection-rules/create-custom-data-collection-rule.png":::
81
-
82
-
> [!NOTE]
83
-
> If you use the **Not equals** operator with an unexpected value, this might select all events. To avoid using large data volumes, combine this operator with other conditions.
84
81
85
82
1. Select **Next**.
86
83
@@ -107,13 +104,13 @@ If rules aren't working as expected:
107
104
108
105
Review these considerations when monitoring and troubleshooting custom data collection rules:
109
106
110
-
-[Endpoint detection and response (EDR) exclusions](navigate-defender-endpoint-antivirus-exclusions.md) may override custom collection rules.
107
+
-[Endpoint detection and response (EDR) exclusions may override custom collection rules.
111
108
- Dynamic tags update approximately every hour. Check the **Custom collection** > **Last run time** column for the status.
112
109
113
110
## Edit, delete, and enable or disable custom data collection rules
114
111
115
112
- To edit a rule, navigate to **Settings** > **Endpoints** > **Rules** > **Custom Collection**, select the rule you want to edit, and select **Edit**.
116
113
- To delete a rule, select the rule you want to delete, and select **Delete**.
117
-
- To disable or enable a rule, select the rule you want to modify, and select **Enable**or **Disable** under the rule description.
114
+
- To disable or enable a rule, select the rule you want to modify, and select or clear the **Enable** check-box under the rule description.
Copy file name to clipboardExpand all lines: defender-endpoint/custom-data-collection.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,7 +50,7 @@ Custom data collection supports the following event tables.
50
50
|**DeviceCustomImageLoadEvents**| Stores data on image loading events, including details about the loaded images and their origins. |[In-portal schema reference](/defender-xdr/advanced-hunting-schema-tables?#get-schema-information-in-the-security-center) or [DeviceImageLoadEvents](/defender-xdr/advanced-hunting-deviceimageloadevents-table) table reference |
51
51
|**DeviceCustomFileEvents**| Stores data on file creation, modification, deletion, and access activities. |[In-portal schema reference](/defender-xdr/advanced-hunting-schema-tables?#get-schema-information-in-the-security-center) or [DeviceFileEvents](/defender-xdr/advanced-hunting-devicefileevents-table) table reference |
52
52
|**DeviceCustomNetworkEvents**| Stores data on network connection events, including IP addresses, ports, and protocols. |[In-portal schema reference](/defender-xdr/advanced-hunting-schema-tables?#get-schema-information-in-the-security-center) or [DeviceNetworkEvents](/defender-xdr/advanced-hunting-devicenetworkevents-table) table reference |
53
-
|**DeviceCustomScriptEvents**| Stores data on script execution activities through Antimalware Scan Interface (AMSI). This table is a new addition and does not have a reference in the default event tables. |[In-portal schema reference](/defender-xdr/advanced-hunting-schema-tables?#get-schema-information-in-the-security-center)|
53
+
|**DeviceCustomScriptEvents**| Stores data on script execution and process details related to any explicit customer request for collection. This table is a new addition and does not have a reference in the default event tables. |[In-portal schema reference](/defender-xdr/advanced-hunting-schema-tables?#get-schema-information-in-the-security-center)|
0 commit comments