From 601599de8f97848ca158e26b2ba7eaa4984a1452 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 3 Mar 2020 16:55:26 -0800 Subject: [PATCH 1/2] Update custom-detection-rules.md --- .../microsoft-defender-atp/custom-detection-rules.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index c5a436c489..5254713db3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,7 +1,7 @@ --- title: Create and manage custom detection rules in Microsoft Defender ATP ms.reviewer: -description: Learn how to create and manage custom detections rules based on advanced hunting queries +description: Learn how to create and manage custom detection rules based on advanced hunting queries keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -19,7 +19,7 @@ ms.topic: article --- -# Create and manage custom detections rules +# Create and manage custom detection rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -34,7 +34,7 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. #### Required columns in the query results -To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don’t use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. +To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. From 70c0dd8239e6d8f09febc66c83f203c29fa98832 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 3 Mar 2020 17:00:54 -0800 Subject: [PATCH 2/2] Update TOC.md --- windows/security/threat-protection/TOC.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 55521c5955..8b97a7b7b7 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -136,8 +136,8 @@ #### [Custom detections]() -##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) -##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) +##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) +##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)