From c9871554bb25ae15e56c4758298cc4d223d6d087 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 28 Sep 2019 05:43:15 +0500 Subject: [PATCH 01/10] Added query as example Added query in the document as an example. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4904 --- .../microsoft-defender-atp/custom-detection-rules.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 0af9f2e7a8..60f414ff15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -26,7 +26,7 @@ ms.topic: article Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. >[!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. +>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Create a custom detection rule ### 1. Prepare the query. @@ -36,6 +36,13 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an >[!NOTE] >To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. +>[Example] +>MiscEvents +| where EventTime > ago(7d) +| where ActionType == "AntivirusDetection" +| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId +This will fetch latest EventTime and ReportId of the latest event among multiple events returned by the query and adds the count by MachineId. + ### 2. Create new rule and provide alert details. With the query in the query editor, select **Create detection rule** and specify the following alert details: From f498ca39b7602921d31ca37308c66b4eb95fb65f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 28 Sep 2019 09:34:03 +0500 Subject: [PATCH 02/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 60f414ff15..5b4ec78036 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -41,7 +41,7 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an | where EventTime > ago(7d) | where ActionType == "AntivirusDetection" | summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId -This will fetch latest EventTime and ReportId of the latest event among multiple events returned by the query and adds the count by MachineId. +This will fetch the EventTime and ReportId of the latest event from multiple events returned by the query and adds the count by MachineId. ### 2. Create new rule and provide alert details. From 732026c25b6bf9a1a9c24f46305c4ae6130555c8 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 29 Sep 2019 19:06:38 +0500 Subject: [PATCH 03/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 5b4ec78036..21b18db365 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -25,7 +25,7 @@ ms.topic: article Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. ->[!NOTE] +> [!NOTE] >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Create a custom detection rule From 83dd94f49335bb2b079ceaeda68cd2ec18c38f43 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 29 Sep 2019 19:06:47 +0500 Subject: [PATCH 04/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 21b18db365..7d640952cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -26,7 +26,7 @@ ms.topic: article Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. > [!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. +> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Create a custom detection rule ### 1. Prepare the query. From 1988d93b9fc1b0d7da120f828c0a9a38f6749fcf Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 29 Sep 2019 19:06:54 +0500 Subject: [PATCH 05/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 7d640952cc..83f895f0c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -33,7 +33,7 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. ->[!NOTE] +> [!NOTE] >To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. >[Example] From a1009d8c7c9c8e791bd69137c19d92506d670f53 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 29 Sep 2019 19:07:02 +0500 Subject: [PATCH 06/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 83f895f0c4..627c14ca58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -36,7 +36,7 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an > [!NOTE] >To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. ->[Example] +> [Example] >MiscEvents | where EventTime > ago(7d) | where ActionType == "AntivirusDetection" From 99fa2ef07fa7a4642ebaa157af5f6569d20f35d9 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 29 Sep 2019 19:07:10 +0500 Subject: [PATCH 07/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 627c14ca58..fb9e202863 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -34,7 +34,7 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. > [!NOTE] ->To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. +> To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. > [Example] >MiscEvents From 892411670327a3387d8b8f18fe3c21b0b0f63924 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 29 Sep 2019 19:07:21 +0500 Subject: [PATCH 08/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index fb9e202863..19f8bc230f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -37,7 +37,7 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an > To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. > [Example] ->MiscEvents +> MiscEvents | where EventTime > ago(7d) | where ActionType == "AntivirusDetection" | summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId From 06a38e3bc57a9a17be790dc10a6db27833e624c8 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 1 Oct 2019 13:54:56 +0500 Subject: [PATCH 09/10] Update windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/custom-detection-rules.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 19f8bc230f..fbb2aa14e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -41,6 +41,7 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an | where EventTime > ago(7d) | where ActionType == "AntivirusDetection" | summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId +| where count_ > 5 This will fetch the EventTime and ReportId of the latest event from multiple events returned by the query and adds the count by MachineId. ### 2. Create new rule and provide alert details. From 010644b58b450c352b24a2b33b1d6bbdd76c8478 Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Tue, 1 Oct 2019 07:49:08 -0700 Subject: [PATCH 10/10] Update custom-detection-rules.md Editing the file directly to reduce back and forth. --- .../microsoft-defender-atp/custom-detection-rules.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index fbb2aa14e6..2e925f762d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -36,13 +36,15 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an > [!NOTE] > To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. -> [Example] -> MiscEvents +The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. + +``` +MiscEvents | where EventTime > ago(7d) | where ActionType == "AntivirusDetection" | summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId | where count_ > 5 -This will fetch the EventTime and ReportId of the latest event from multiple events returned by the query and adds the count by MachineId. +``` ### 2. Create new rule and provide alert details.