From 33a0bffecc2618914b760a82e1ca65716039efc6 Mon Sep 17 00:00:00 2001 From: lomayor Date: Mon, 25 Nov 2019 12:53:50 -0800 Subject: [PATCH 1/4] Add custom detections frequency info --- .../custom-detection-rules.md | 28 +++++++++++++------ .../overview-custom-detections.md | 2 +- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index e8692e242a..c13f763721 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. +Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. > [!NOTE] > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. @@ -52,13 +52,25 @@ MiscEvents With the query in the query editor, select **Create detection rule** and specify the following alert details: -- **Alert title** -- **Severity** -- **Category** -- **Description** -- **Recommended actions** +- **Detection name** — name of the detection rule +- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency) +- **Alert title** — title displayed with alerts triggered by the rule +- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity) +- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) +- **Description** — more information about the component or activity identified by the rule +- **Recommended actions** — additional actions that responders might take in response to an alert -For more information about these alert details, [read about managing alerts](manage-alerts.md). +For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). + +#### Rule frequency +When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations: + +- **Every 24 hours** — checks data from the past 30 days +- **Every 12 hours** — checks data from the past 24 hours +- **Every 3 hours** — checks data from the past 6 hours +- **Every hour** — checks data from the past 2 hours + +Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. ### 3. Specify actions on files or machines. Your custom detection rule can automatically take actions on files or machines that are returned by the query. @@ -115,4 +127,4 @@ You can also take the following actions on the rule from this page: ## Related topic - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the Advanced hunting query language](advanced-hunting-query-language.md) +- [Learn the Advanced hunting query language](advanced-hunting-query-language.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 13b9cef73c..03e0f5ca62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -25,7 +25,7 @@ ms.topic: conceptual With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. -Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. +Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Custom detections provide: - Alerts for rule-based detections built from Advanced hunting queries From 8e66f14dd07a074fd61bac828ae0c9ac47a4c34e Mon Sep 17 00:00:00 2001 From: lomayor Date: Mon, 25 Nov 2019 13:08:17 -0800 Subject: [PATCH 2/4] Update custom-detection-rules.md --- .../microsoft-defender-atp/custom-detection-rules.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index c13f763721..36b9e4ffde 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -127,4 +127,5 @@ You can also take the following actions on the rule from this page: ## Related topic - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the Advanced hunting query language](advanced-hunting-query-language.md) \ No newline at end of file +- [Learn the Advanced hunting query language](advanced-hunting-query-language.md) +- [View and organize alerts](alerts-queue) \ No newline at end of file From 7e15e88041f8c02ec7f26504a8bc0ffd67e73fe1 Mon Sep 17 00:00:00 2001 From: lomayor Date: Mon, 25 Nov 2019 13:10:27 -0800 Subject: [PATCH 3/4] Update custom-detection-rules.md --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 36b9e4ffde..0238669332 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -128,4 +128,4 @@ You can also take the following actions on the rule from this page: - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the Advanced hunting query language](advanced-hunting-query-language.md) -- [View and organize alerts](alerts-queue) \ No newline at end of file +- [View and organize alerts](alerts-queue) From a98e5cf9bc8d90296c5d2dbdd08f77da46c1fc81 Mon Sep 17 00:00:00 2001 From: lomayor Date: Mon, 25 Nov 2019 13:40:09 -0800 Subject: [PATCH 4/4] Update custom-detection-rules.md Added missed .md extension --- .../microsoft-defender-atp/custom-detection-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 0238669332..fb3a52f9f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -128,4 +128,4 @@ You can also take the following actions on the rule from this page: - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the Advanced hunting query language](advanced-hunting-query-language.md) -- [View and organize alerts](alerts-queue) +- [View and organize alerts](alerts-queue.md)