Merge pull request #1594 from MicrosoftDocs/lomayor-ah-freq

Discuss frequency settings for AH custom detections

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -23,7 +23,7 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 > [!NOTE]
 > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
@@ -52,13 +52,25 @@ MiscEvents
 
 With the query in the query editor, select **Create detection rule** and specify the following alert details:
 
-- **Alert title**
+- **Detection name** — name of the detection rule
-- **Severity**
+- **Frequency** — interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Category**
+- **Alert title** — title displayed with alerts triggered by the rule
-- **Description**
+- **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Recommended actions**
+- **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **Description** — more information about the component or activity identified by the rule 
+- **Recommended actions** — additional actions that responders might take in response to an alert 
 
-For more information about these alert details, [read about managing alerts](manage-alerts.md).
+For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
+
+#### Rule frequency
+When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations:
+
+- **Every 24 hours** — checks data from the past 30 days
+- **Every 12 hours** — checks data from the past 24 hours
+- **Every 3 hours** — checks data from the past 6 hours
+- **Every hour** — checks data from the past 2 hours
+
+Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
 
 ### 3. Specify actions on files or machines.
 Your custom detection rule can automatically take actions on files or machines that are returned by the query.
@@ -116,3 +128,4 @@ You can also take the following actions on the rule from this page:
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
+- [View and organize alerts](alerts-queue.md)

windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md

@@ -25,7 +25,7 @@ ms.topic: conceptual
 
 With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
 
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 Custom detections provide:
 - Alerts for rule-based detections built from Advanced hunting queries