Merge pull request #445 from MicrosoftDocs/custdetperm-wdatp-lomayor

Custom detections - Required permissions

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -23,6 +23,10 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
+
+>[!NOTE]
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
 
 1.	In the navigation pane, select **Advanced hunting**.
 

windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md

@@ -24,13 +24,16 @@ ms.topic: conceptual
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 
-Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
+Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious events or emerging threats.
 
-This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+This can be done by leveraging the power of [Advanced hunting](overview-hunting.md) through the creation of custom detection rules. 
 Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system.
 
 This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats.
 
+>[!NOTE]
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
 ## Related topic
 - [Create custom detection rules](custom-detection-rules.md)
 

windows/security/threat-protection/microsoft-defender-atp/user-roles.md

@@ -45,7 +45,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
             >[!NOTE]
             >This setting is only available in the Microsoft Defender ATP administrator (default) role. 
 
-		  - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+		  - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
 
 		  - **Live response capabilities** - Users can take basic or advanced live response commands. <br>
 			- Basic commands allow users to:
@@ -90,4 +90,4 @@ After creating roles, you'll need to create a machine group and provide access t
 
 ## Related topic
 - [User basic permissions to access the portal](basic-permissions.md)
-- [Create and manage machine groups](machine-groups.md)
+- [Create and manage machine groups](machine-groups.md)