mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
Last check
This commit is contained in:
lomayor
@ -50,14 +50,14 @@ With the query in the query editor, select **Create detection rule** and specify
|
||||
For more information about these alert details, [read about managing alerts](manage-alerts.md).
|
||||
|
||||
#### Rule frequency
|
||||
When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations.
|
||||
When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
|
||||
|
||||
- **Every 24 hours** — checks data from the past 30 days
|
||||
- **Every 12 hours** — checks data from the past 24 hours
|
||||
- **Every 3 hours** — checks data from the past 6 hours
|
||||
- **Every hour** — checks data from the past 2 hours
|
||||
|
||||
Similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections and your organization's capacity to respond to the alerts.
|
||||
Similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
|
||||
|
||||
### 3. Specify actions on files or machines
|
||||
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
|
||||
@ -66,12 +66,12 @@ Your custom detection rule can automatically take actions on files or machines t
|
||||
These actions are automatically applied to machines in the `MachineId` column in the query results:
|
||||
- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
|
||||
- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
|
||||
- **Run antivirus scan** — perform a full Windows Defender Antivirus scan on the machine
|
||||
- **Initiate investigation** — initiate an [automated investigation](automated-investigations.md) on the machine
|
||||
- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
|
||||
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
|
||||
|
||||
#### Actions on files
|
||||
Select one or more actions to automatically apply to files in the `SHA1` or the `InitiatingProcessSHA1` column in query results:
|
||||
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
|
||||
Select one or more actions to automatically apply to files in the `SHA1` or the `InitiatingProcessSHA1` column in the query results:
|
||||
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
|
||||
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
|
||||
|
||||
### 4. Click **Create** to save and turn on the rule.
|
||||
@ -90,9 +90,7 @@ To view all existing custom detection rules, navigate to **Settings** > **Custom
|
||||
|
||||
### View rule details, modify rule, and run rule
|
||||
|
||||
To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**.
|
||||
|
||||
This opens a page about the custom detection rule with the following information:
|
||||
To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
|
||||
|
||||
- General information about the rule, including the details of the alert, run status, and scope
|
||||
- List of triggered alerts
|
||||
@ -102,14 +100,14 @@ This opens a page about the custom detection rule with the following information
|
||||
|
||||
You can also take the following actions on the rule from this page:
|
||||
|
||||
- **Run** — runs the rule immediately. This also resets the interval for the next run.
|
||||
- **Run** — run the rule immediately. This also resets the interval for the next run.
|
||||
- **Edit** — modify the rule without changing the query
|
||||
- **Modify query** — edit the query in Advanced hunting
|
||||
- **Turn on** / **Turn off** — enable the rule or stop it from running
|
||||
- **Delete** — turn off the rule and remove it
|
||||
|
||||
>[!TIP]
|
||||
>To quickly view information and take action on an item in a table, use the selection column [✔] at the left of the table.
|
||||
>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
|
||||
|
||||
## Related topic
|
||||
- [Custom detections overview](overview-custom-detections.md)
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 118 KiB After Width: | Height: | Size: 118 KiB |
Reference in New Issue
Block a user