From 9c595dc0316ca23b68bfbd07f3efcd31c9c8f5a7 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:02:42 -0700 Subject: [PATCH 1/8] Split, refresh --- windows/security/threat-protection/TOC.md | 5 +- .../custom-detection-rules.md | 60 ++++++----------- .../custom-detections-manage.md | 67 +++++++++++++++++++ .../overview-custom-detections.md | 9 +-- 4 files changed, 93 insertions(+), 48 deletions(-) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 6a30c6da4d..3bab5df58d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -338,8 +338,9 @@ #### [Custom detections]() -##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) -##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) +##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md) +##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md) +##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md) ### [Behavioral blocking and containment]() #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 223e5b4295..a6f7579d12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,7 +1,7 @@ --- -title: Create and manage custom detection rules in Microsoft Defender ATP +title: Create detection rules in Microsoft Defender ATP ms.reviewer: -description: Learn how to create and manage custom detection rules based on advanced hunting queries +description: Learn how to create custom detection rules based on advanced hunting queries keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,10 +23,13 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. +Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. -> [!NOTE] -> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. +Read this article to learn how to create new custom detection rules, or [see viewing and managing existing rules](custom-detections-manage.md). + +## Required permissions + +To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Create a custom detection rule ### 1. Prepare the query. @@ -61,6 +64,7 @@ With the query in the query editor, select **Create detection rule** and specify - **Alert title** — title displayed with alerts triggered by the rule - **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) - **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) +- **MITRE ATT&CK techniques** — one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section does not apply and is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software - **Description** — more information about the component or activity identified by the rule - **Recommended actions** — additional actions that responders might take in response to an alert @@ -91,44 +95,20 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` - **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file** — deletes the file from its current location and places a copy in quarantine -### 4. Click **Create** to save and turn on the rule. +### 4. Set the rule scope. +Set the scope to specify which devices are covered by the rule: + +- All devices +- Specific device groups + +Only data from devices in scope will be queried. Also, actions will be taken only on those devices. + +### 5. Review and turn on the rule. After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. -## Manage existing custom detection rules -In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. -### View existing rules - -To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information: - -- **Last run** — when a rule was last run to check for query matches and generate alerts -- **Last run status** — whether a rule ran successfully -- **Next run** — the next scheduled run -- **Status** — whether a rule has been turned on or off - -### View rule details, modify rule, and run rule - -To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information: - -- General information about the rule, including the details of the alert, run status, and scope -- List of triggered alerts -- List of triggered actions - -![Custom detection rule page](images/atp-custom-detection-rule-details.png)
-*Custom detection rule page* - -You can also take the following actions on the rule from this page: - -- **Run** — run the rule immediately. This also resets the interval for the next run. -- **Edit** — modify the rule without changing the query -- **Modify query** — edit the query in advanced hunting -- **Turn on** / **Turn off** — enable the rule or stop it from running -- **Delete** — turn off the rule and remove it - ->[!TIP] ->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table. - -## Related topic +## Related topics +- [View and manage detection rules](custom-detections-manage.md) - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the advanced hunting query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md new file mode 100644 index 0000000000..cb58a0ae93 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -0,0 +1,67 @@ +--- +title: View and manage custom detection rules in Microsoft Defender ATP +ms.reviewer: +description: Learn how to view and manage custom detection rules +keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + + +# View and manage custom detection rules +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +Manage your existing [custom detection rules](custom-detections-rules.md) to ensure they are effectively finding threats and taking actions on threats you want to address proactively. Learn how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. + +## Required permissions + +To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. + +## View existing rules + +To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information: + +- **Last run** — when a rule was last run to check for query matches and generate alerts +- **Last run status** — whether a rule ran successfully +- **Next run** — the next scheduled run +- **Status** — whether a rule has been turned on or off + +## View rule details, modify rule, and run rule + +To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information: + +- General information about the rule, including the details of the alert, run status, and scope +- List of triggered alerts +- List of triggered actions + +![Custom detection rule page](images/atp-custom-detection-rule-details.png)
+*Custom detection rule page* + +You can also take the following actions on the rule from this page: + +- **Run** — run the rule immediately. This also resets the interval for the next run. +- **Edit** — modify the rule without changing the query +- **Modify query** — edit the query in advanced hunting +- **Turn on** / **Turn off** — enable the rule or stop it from running +- **Delete** — turn off the rule and remove it + +>[!TIP] +>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table. + +## Related topics +- [Custom detections overview](overview-custom-detections.md) +- [Create detection rules](custom-detection-rules.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [View and organize alerts](alerts-queue.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index c98c0a6c38..304e964c67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -18,22 +18,19 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- - # Custom detections overview **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. -Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. +Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Custom detections provide: - Alerts for rule-based detections built from advanced hunting queries - Automatic response actions that apply to files and devices ->[!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. - ## Related topic -- [Create and manage custom detection rules](custom-detection-rules.md) +- [Create detection rules](custom-detection-rules.md) +- [View and manage detection rules](custom-detections-manage.md) - [Advanced hunting overview](advanced-hunting-overview.md) \ No newline at end of file From 2c11114dbdc5050a2fd7f0c4a4c7caeaab36a1f9 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:20:07 -0700 Subject: [PATCH 2/8] acrotweaks --- .../custom-detection-rules.md | 40 +++++++++---------- .../custom-detections-manage.md | 20 +++++----- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index a6f7579d12..e9b1845ce1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -25,7 +25,7 @@ ms.topic: article Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. -Read this article to learn how to create new custom detection rules, or [see viewing and managing existing rules](custom-detections-manage.md). +Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). ## Required permissions @@ -34,7 +34,7 @@ To create or manage custom detections, [your role](user-roles.md#create-roles-an ## Create a custom detection rule ### 1. Prepare the query. -In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. +In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results. >[!IMPORTANT] >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. @@ -59,24 +59,24 @@ DeviceEvents With the query in the query editor, select **Create detection rule** and specify the following alert details: -- **Detection name** — name of the detection rule -- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency) -- **Alert title** — title displayed with alerts triggered by the rule -- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) -- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) -- **MITRE ATT&CK techniques** — one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section does not apply and is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software -- **Description** — more information about the component or activity identified by the rule -- **Recommended actions** — additional actions that responders might take in response to an alert +- **Detection name**—name of the detection rule +- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency) +- **Alert title**—title displayed with alerts triggered by the rule +- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) +- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) +- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with alert categories, such as malware, ransomware, suspicious activity, and unwanted software +- **Description**—more information about the component or activity identified by the rule +- **Recommended actions**—additional actions that responders might take in response to an alert For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). #### Rule frequency When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: -- **Every 24 hours** — runs every 24 hours, checking data from the past 30 days -- **Every 12 hours** — runs every 12 hours, checking data from the past 24 hours -- **Every 3 hours** — runs every 3 hours, checking data from the past 6 hours -- **Every hour** — runs hourly, checking data from the past 2 hours +- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days +- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours +- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours +- **Every hour**—runs hourly, checking data from the past 2 hours Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. @@ -85,15 +85,15 @@ Your custom detection rule can automatically take actions on files or devices th #### Actions on devices These actions are applied to devices in the `DeviceId` column of the query results: -- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) -- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) -- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device -- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device +- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) +- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) +- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device +- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device #### Actions on files These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: -- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. -- **Quarantine file** — deletes the file from its current location and places a copy in quarantine +- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. +- **Quarantine file**—deletes the file from its current location and places a copy in quarantine ### 4. Set the rule scope. Set the scope to specify which devices are covered by the rule: diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index cb58a0ae93..06309d4989 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -33,14 +33,14 @@ To create or manage custom detections, [your role](user-roles.md#create-roles-an To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information: -- **Last run** — when a rule was last run to check for query matches and generate alerts -- **Last run status** — whether a rule ran successfully -- **Next run** — the next scheduled run -- **Status** — whether a rule has been turned on or off +- **Last run**—when a rule was last run to check for query matches and generate alerts +- **Last run status**—whether a rule ran successfully +- **Next run**—the next scheduled run +- **Status**—whether a rule has been turned on or off ## View rule details, modify rule, and run rule -To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information: +To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the the following information: - General information about the rule, including the details of the alert, run status, and scope - List of triggered alerts @@ -51,11 +51,11 @@ To view comprehensive information about a custom detection rule, select the name You can also take the following actions on the rule from this page: -- **Run** — run the rule immediately. This also resets the interval for the next run. -- **Edit** — modify the rule without changing the query -- **Modify query** — edit the query in advanced hunting -- **Turn on** / **Turn off** — enable the rule or stop it from running -- **Delete** — turn off the rule and remove it +- **Run**—run the rule immediately. This action also resets the interval for the next run. +- **Edit**—modify the rule without changing the query +- **Modify query**—edit the query in advanced hunting +- **Turn on** / **Turn off**—enable the rule or stop it from running +- **Delete**—turn off the rule and remove it >[!TIP] >To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table. From 23a0c6584508d7d75b76d32f6c3c999f6d026563 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:21:56 -0700 Subject: [PATCH 3/8] Update custom-detections-manage.md --- .../microsoft-defender-atp/custom-detections-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index 06309d4989..407de115df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Manage your existing [custom detection rules](custom-detections-rules.md) to ensure they are effectively finding threats and taking actions on threats you want to address proactively. Learn how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. +Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions on threats you want to address proactively. Learn how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Required permissions From 6aa3b64561c6b04431c45301d1e5ba19c26ade98 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:29:57 -0700 Subject: [PATCH 4/8] AcroTweaks --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- .../microsoft-defender-atp/custom-detections-manage.md | 4 ++-- .../microsoft-defender-atp/overview-custom-detections.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index e9b1845ce1..1806f29868 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -104,7 +104,7 @@ Set the scope to specify which devices are covered by the rule: Only data from devices in scope will be queried. Also, actions will be taken only on those devices. ### 5. Review and turn on the rule. -After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. +After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index 407de115df..bae067bcec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions on threats you want to address proactively. Learn how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. +Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Required permissions @@ -40,7 +40,7 @@ To view all existing custom detection rules, navigate to **Settings** > **Custom ## View rule details, modify rule, and run rule -To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the the following information: +To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information: - General information about the rule, including the details of the alert, run status, and scope - List of triggered alerts diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 304e964c67..0f17cc548c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -22,7 +22,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. +With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts as well as response actions. Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. From 159663aef048fdf1ca26cec00f307e34c239960a Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:36:38 -0700 Subject: [PATCH 5/8] More tweakaroos --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- .../microsoft-defender-atp/overview-custom-detections.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 1806f29868..a9b8d6cb29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,5 +1,5 @@ --- -title: Create detection rules in Microsoft Defender ATP +title: Create custom detection rules in Microsoft Defender ATP ms.reviewer: description: Learn how to create custom detection rules based on advanced hunting queries keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 0f17cc548c..fd8438a07e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -22,7 +22,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts as well as response actions. +With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions. Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. @@ -30,7 +30,7 @@ Custom detections provide: - Alerts for rule-based detections built from advanced hunting queries - Automatic response actions that apply to files and devices -## Related topic +## Related topics - [Create detection rules](custom-detection-rules.md) - [View and manage detection rules](custom-detections-manage.md) - [Advanced hunting overview](advanced-hunting-overview.md) \ No newline at end of file From 00f774bd539f9bcf9d52e7c4da2481bdcb1fd433 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:54:08 -0700 Subject: [PATCH 6/8] tweaks --- .../custom-detection-rules.md | 26 ++++++++++--------- .../custom-detections-manage.md | 2 ++ .../overview-custom-detections.md | 2 ++ 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index a9b8d6cb29..a6ef0b57b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -19,20 +19,22 @@ ms.topic: article --- -# Create and manage custom detection rules +# Create custom detection rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) + + Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). -## Required permissions +## 1. Check required permissions To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. -## Create a custom detection rule -### 1. Prepare the query. +## 2. Prepare the query In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results. @@ -40,7 +42,7 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. -#### Required columns in the query results +### Required columns in the query results To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. @@ -55,7 +57,7 @@ DeviceEvents | where count_ > 5 ``` -### 2. Create new rule and provide alert details. +## 3. Create new rule and provide alert details With the query in the query editor, select **Create detection rule** and specify the following alert details: @@ -70,7 +72,7 @@ With the query in the query editor, select **Create detection rule** and specify For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). -#### Rule frequency +### Rule frequency When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: - **Every 24 hours**—runs every 24 hours, checking data from the past 30 days @@ -80,22 +82,22 @@ When saved, a new or edited custom detection rule immediately runs and checks fo Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -### 3. Specify actions on files or devices. +## 4. Specify actions on files or devices Your custom detection rule can automatically take actions on files or devices that are returned by the query. -#### Actions on devices +### Actions on devices These actions are applied to devices in the `DeviceId` column of the query results: - **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device -#### Actions on files +### Actions on files These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: - **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file**—deletes the file from its current location and places a copy in quarantine -### 4. Set the rule scope. +## 5. Set the rule scope Set the scope to specify which devices are covered by the rule: - All devices @@ -103,7 +105,7 @@ Set the scope to specify which devices are covered by the rule: Only data from devices in scope will be queried. Also, actions will be taken only on those devices. -### 5. Review and turn on the rule. +## 6. Review and turn on the rule After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index bae067bcec..3594f09bb8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -23,6 +23,8 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) + Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Required permissions diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index fd8438a07e..87ad24897b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -22,6 +22,8 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) + With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions. Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. From e7e9f64418fbc2a3c7805a5af5ee4e6a6c1eb2b9 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 17:59:51 -0700 Subject: [PATCH 7/8] Update custom-detection-rules.md --- .../microsoft-defender-atp/custom-detection-rules.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index a6ef0b57b7..20cba1c034 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -23,13 +23,16 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) +> [Learn about this feature in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). +>[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) + + ## 1. Check required permissions To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. From ad2172c71f4ad60d993e1c41fe829d0881972c9e Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 12 Aug 2020 20:38:46 -0700 Subject: [PATCH 8/8] Finalizing --- .../microsoft-defender-atp/custom-detection-rules.md | 9 +-------- .../microsoft-defender-atp/custom-detections-manage.md | 2 -- .../microsoft-defender-atp/overview-custom-detections.md | 2 -- 3 files changed, 1 insertion(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 20cba1c034..6021933e52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -18,21 +18,14 @@ ms.collection: M365-security-compliance ms.topic: article --- - # Create custom detection rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [Learn about this feature in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) - - Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). ->[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) - - ## 1. Check required permissions To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. @@ -69,7 +62,7 @@ With the query in the query editor, select **Create detection rule** and specify - **Alert title**—title displayed with alerts triggered by the rule - **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) - **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) -- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with alert categories, such as malware, ransomware, suspicious activity, and unwanted software +- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software - **Description**—more information about the component or activity identified by the rule - **Recommended actions**—additional actions that responders might take in response to an alert diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index 3594f09bb8..bae067bcec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -23,8 +23,6 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) - Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Required permissions diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 87ad24897b..fd8438a07e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -22,8 +22,6 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->[!NOTE] This article applies to Microsoft Defender ATP. [Read about this capability in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/custom-detections-overview) - With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions. Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.