mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
acrotweaks
This commit is contained in:
Louie Mayor
@ -25,7 +25,7 @@ ms.topic: article
|
|||||||
|
|
||||||
Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
|
Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
|
||||||
|
|
||||||
Read this article to learn how to create new custom detection rules, or [see viewing and managing existing rules](custom-detections-manage.md).
|
Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
|
||||||
|
|
||||||
## Required permissions
|
## Required permissions
|
||||||
|
|
||||||
@ -34,7 +34,7 @@ To create or manage custom detections, [your role](user-roles.md#create-roles-an
|
|||||||
## Create a custom detection rule
|
## Create a custom detection rule
|
||||||
### 1. Prepare the query.
|
### 1. Prepare the query.
|
||||||
|
|
||||||
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
|
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
|
||||||
|
|
||||||
>[!IMPORTANT]
|
>[!IMPORTANT]
|
||||||
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
|
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
|
||||||
@ -64,7 +64,7 @@ With the query in the query editor, select **Create detection rule** and specify
|
|||||||
- **Alert title**—title displayed with alerts triggered by the rule
|
- **Alert title**—title displayed with alerts triggered by the rule
|
||||||
- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
|
- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
|
||||||
- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
|
- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
|
||||||
- **MITRE ATT&CK techniques** — one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section does not apply and is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software
|
- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with alert categories, such as malware, ransomware, suspicious activity, and unwanted software
|
||||||
- **Description**—more information about the component or activity identified by the rule
|
- **Description**—more information about the component or activity identified by the rule
|
||||||
- **Recommended actions**—additional actions that responders might take in response to an alert
|
- **Recommended actions**—additional actions that responders might take in response to an alert
|
||||||
|
|
||||||
@ -88,7 +88,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul
|
|||||||
- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
|
- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
|
||||||
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
|
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
|
||||||
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
|
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
|
||||||
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
|
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
|
||||||
|
|
||||||
#### Actions on files
|
#### Actions on files
|
||||||
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
|
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
|
||||||
|
|||||||
@ -40,7 +40,7 @@ To view all existing custom detection rules, navigate to **Settings** > **Custom
|
|||||||
|
|
||||||
## View rule details, modify rule, and run rule
|
## View rule details, modify rule, and run rule
|
||||||
|
|
||||||
To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
|
To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the the following information:
|
||||||
|
|
||||||
- General information about the rule, including the details of the alert, run status, and scope
|
- General information about the rule, including the details of the alert, run status, and scope
|
||||||
- List of triggered alerts
|
- List of triggered alerts
|
||||||
@ -51,7 +51,7 @@ To view comprehensive information about a custom detection rule, select the name
|
|||||||
|
|
||||||
You can also take the following actions on the rule from this page:
|
You can also take the following actions on the rule from this page:
|
||||||
|
|
||||||
- **Run** — run the rule immediately. This also resets the interval for the next run.
|
- **Run**—run the rule immediately. This action also resets the interval for the next run.
|
||||||
- **Edit**—modify the rule without changing the query
|
- **Edit**—modify the rule without changing the query
|
||||||
- **Modify query**—edit the query in advanced hunting
|
- **Modify query**—edit the query in advanced hunting
|
||||||
- **Turn on** / **Turn off**—enable the rule or stop it from running
|
- **Turn on** / **Turn off**—enable the rule or stop it from running
|
||||||
|
|||||||
Reference in New Issue
Block a user