You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/attack-surface-reduction-rules-reference.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -406,8 +406,8 @@ This rule blocks executable files, such as .exe, .dll, or .scr, from launching.
406
406
407
407
> [!IMPORTANT]
408
408
> You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
409
-
> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and isn't specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
410
-
> You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
409
+
> This rule uses cloud-delivered protection to update its trusted list regularly.
410
+
> You can specify individual files or folders by using folder paths or fully qualified resource names. It also supports the **ASROnlyPerRuleExclusions** setting.
411
411
412
412
Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
Copy file name to clipboardExpand all lines: defender-xdr/custom-detection-rules.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,10 +6,10 @@ ms.service: defender-xdr
6
6
ms.subservice: adv-hunting
7
7
f1.keywords:
8
8
- NOCSH
9
-
ms.author: maccruz
10
-
author: schmurky
9
+
ms.author: pauloliveria
10
+
author: poliveria
11
11
ms.localizationpriority: medium
12
-
manager: dansimp
12
+
manager: orspodek
13
13
audience: ITPro
14
14
ms.collection:
15
15
- m365-security
@@ -22,7 +22,7 @@ appliesto:
22
22
- Microsoft Defender XDR
23
23
- Microsoft Sentinel in the Microsoft Defender portal
24
24
ms.topic: how-to
25
-
ms.date: 05/07/2025
25
+
ms.date: 07/29/2025
26
26
---
27
27
28
28
# Create custom detection rules
@@ -127,13 +127,13 @@ DeviceEvents
127
127
With the query in the query editor, select **Create detection rule** and specify the following alert details:
128
128
129
129
-**Detection name** - Name of the detection rule; should be unique
130
-
-**Frequency** -Interval for running the query and taking action. [See more guidance in the rule frequency section](#rule-frequency)
131
-
-**Alert title** - Title displayed with alerts triggered by the rule; should be unique and in plaintext. Strings are sanitized for security purposes so HTML, Markdown, and other code won't work.
130
+
-**Frequency** -Interval for running the query and taking action. [See more guidance in the rule frequency section](#rule-frequency)
131
+
-**Alert title** - Title displayed with alerts triggered by the rule; should be unique and in plaintext. Strings are sanitized for security purposes so HTML, Markdown, and other code won't work. Any URLs included in the title should follow the [percent-encoding format](https://en.m.wikipedia.org/wiki/Percent-encoding) for them to display properly.
132
132
-**Severity** - Potential risk of the component or activity identified by the rule.
133
133
-**Category** - Threat component or activity identified by the rule.
134
134
-**MITRE ATT&CK techniques** - One or more attack techniques identified by the rule as documented in the [MITRE ATT&CK framework](https://attack.mitre.org/). This section is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software.
135
135
-**Threat analytics report** - Link the generated alert to an existing threat analytics report so that it appears in the [Related incidents](threat-analytics.md#set-up-custom-detections-and-link-them-to-threat-analytics-reports) tab in threat analytics
136
-
-**Description** - More information about the component or activity identified by the rule. Strings are sanitized for security purposes so HTML, Markdown, and other code won't work.
136
+
-**Description** - More information about the component or activity identified by the rule. Strings are sanitized for security purposes so HTML, Markdown, and other code won't work. Any URLs included in the description should follow the percent-encoding format for them to display properly.
137
137
-**Recommended actions** - Additional actions that responders might take in response to an alert.
![m365-skilling-repo-management[bot]](https://avatars.githubusercontent.com/in/1161012?v=4&size=40){kind=avatar}
0 commit comments