deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2197 from MicrosoftDocs/lomayor-cust-det-fixes

Browse Source 
Update custom-detection-rules.md
This commit is contained in:
Louie Mayor 2020-03-03 18:06:40 -08:00 committed by GitHub
commit 210775fca8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/TOC.md
View File

@ -136,8 +136,8 @@
#### [Custom detections]() #### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) ##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) ##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
### [Management and APIs]() ### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)

6
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -1,7 +1,7 @@
--- ---
title: Create and manage custom detection rules in Microsoft Defender ATP title: Create and manage custom detection rules in Microsoft Defender ATP
ms.reviewer: ms.reviewer:
description: Learn how to create and manage custom detections rules based on advanced hunting queries description: Learn how to create and manage custom detection rules based on advanced hunting queries
keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
search.appverid: met150 search.appverid: met150
@ -19,7 +19,7 @@ ms.topic: article
--- ---
# Create and manage custom detections rules # Create and manage custom detection rules
**Applies to:** **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -34,7 +34,7 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
#### Required columns in the query results #### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that dont use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.