Split, refresh

windows/security/threat-protection/TOC.md

@@ -338,8 +338,9 @@
 
 
 #### [Custom detections]()
-##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
+##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
+##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
 
 ### [Behavioral blocking and containment]()
 #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -1,7 +1,7 @@
 ---
-title: Create and manage custom detection rules in Microsoft Defender ATP
+title: Create detection rules in Microsoft Defender ATP
 ms.reviewer: 
-description: Learn how to create and manage custom detection rules based on advanced hunting queries
+description: Learn how to create custom detection rules based on advanced hunting queries
 keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
@@ -23,10 +23,13 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
-> [!NOTE]
-> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+Read this article to learn how to create new custom detection rules, or [see viewing and managing existing rules](custom-detections-manage.md). 
+
+## Required permissions
+
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
 
 ## Create a custom detection rule
 ### 1. Prepare the query.
@@ -61,6 +64,7 @@ With the query in the query editor, select **Create detection rule** and specify
 - **Alert title** — title displayed with alerts triggered by the rule
 - **Severity** — potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
 - **Category** — type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
+- **MITRE ATT&CK techniques** — one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section does not apply and is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software
 - **Description** — more information about the component or activity identified by the rule 
 - **Recommended actions** — additional actions that responders might take in response to an alert 
 
@@ -91,44 +95,20 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
 - **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
 - **Quarantine file** — deletes the file from its current location and places a copy in quarantine
 
-### 4. Click **Create** to save and turn on the rule.
+### 4. Set the rule scope.
+Set the scope to specify which devices are covered by the rule:
+
+- All devices
+- Specific device groups
+
+Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
+
+### 5. Review and turn on the rule.
 After reviewing the rule, click **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
 
-## Manage existing custom detection rules
-In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
 
-### View existing rules
-
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
-
-- **Last run** — when a rule was last run to check for query matches and generate alerts
-- **Last run status** — whether a rule ran successfully
-- **Next run** — the next scheduled run
-- **Status** — whether a rule has been turned on or off
-
-### View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-![Custom detection rule page](images/atp-custom-detection-rule-details.png)<br>
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run** — run the rule immediately. This also resets the interval for the next run.
-- **Edit** — modify the rule without changing the query
-- **Modify query** — edit the query in advanced hunting
-- **Turn on** / **Turn off** — enable the rule or stop it from running
-- **Delete** — turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
-
-## Related topic
+## Related topics
+- [View and manage detection rules](custom-detections-manage.md)
 - [Custom detections overview](overview-custom-detections.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)
 - [Learn the advanced hunting query language](advanced-hunting-query-language.md)

windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md

@@ -0,0 +1,67 @@
+---
+title: View and manage custom detection rules in Microsoft Defender ATP
+ms.reviewer: 
+description: Learn how to view and manage custom detection rules
+keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+
+# View and manage custom detection rules
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Manage your existing [custom detection rules](custom-detections-rules.md) to ensure they are effectively finding threats and taking actions on threats you want to address proactively. Learn how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
+
+## Required permissions
+
+To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+
+## View existing rules
+
+To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
+
+- **Last run** — when a rule was last run to check for query matches and generate alerts
+- **Last run status** — whether a rule ran successfully
+- **Next run** — the next scheduled run
+- **Status** — whether a rule has been turned on or off
+
+## View rule details, modify rule, and run rule
+
+To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information:
+
+- General information about the rule, including the details of the alert, run status, and scope
+- List of triggered alerts
+- List of triggered actions
+
+![Custom detection rule page](images/atp-custom-detection-rule-details.png)<br>
+*Custom detection rule page*
+
+You can also take the following actions on the rule from this page:
+
+- **Run** — run the rule immediately. This also resets the interval for the next run.
+- **Edit** — modify the rule without changing the query
+- **Modify query** — edit the query in advanced hunting
+- **Turn on** / **Turn off** — enable the rule or stop it from running
+- **Delete** — turn off the rule and remove it
+
+>[!TIP]
+>To quickly view information and take action on an item in a table, use the selection column [&#10003;] at the left of the table.
+
+## Related topics
+- [Custom detections overview](overview-custom-detections.md)
+- [Create detection rules](custom-detection-rules.md)
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [View and organize alerts](alerts-queue.md)

windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md

@@ -18,22 +18,19 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ---
 
-
 # Custom detections overview
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
 
-Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
+Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
 
 Custom detections provide:
 - Alerts for rule-based detections built from advanced hunting queries
 - Automatic response actions that apply to files and devices
 
->[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
 ## Related topic
-- [Create and manage custom detection rules](custom-detection-rules.md)
+- [Create detection rules](custom-detection-rules.md)
+- [View and manage detection rules](custom-detections-manage.md)
 - [Advanced hunting overview](advanced-hunting-overview.md)