mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 06:13:41 +00:00
syncing custom-detection-rules with mtp
This commit is contained in:
Marty Hernandez Avedon
@ -40,13 +40,19 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
|
|||||||
>[!IMPORTANT]
|
>[!IMPORTANT]
|
||||||
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
|
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
|
||||||
|
|
||||||
|
|
||||||
### Required columns in the query results
|
### Required columns in the query results
|
||||||
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
|
|
||||||
|
|
||||||
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
|
To use a query for a custom detection rule, the query must return the following columns:
|
||||||
|
|
||||||
The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
|
- `Timestamp`
|
||||||
|
- `DeviceId`
|
||||||
|
- `ReportId`
|
||||||
|
|
||||||
|
Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
|
||||||
|
|
||||||
|
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
|
||||||
|
|
||||||
|
The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
|
||||||
|
|
||||||
```kusto
|
```kusto
|
||||||
DeviceEvents
|
DeviceEvents
|
||||||
@ -56,6 +62,9 @@ DeviceEvents
|
|||||||
| where count_ > 5
|
| where count_ > 5
|
||||||
```
|
```
|
||||||
|
|
||||||
|
> [!TIP]
|
||||||
|
> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
|
||||||
|
|
||||||
## 3. Create new rule and provide alert details
|
## 3. Create new rule and provide alert details
|
||||||
|
|
||||||
With the query in the query editor, select **Create detection rule** and specify the following alert details:
|
With the query in the query editor, select **Create detection rule** and specify the following alert details:
|
||||||
@ -67,12 +76,13 @@ With the query in the query editor, select **Create detection rule** and specify
|
|||||||
- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
|
- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
|
||||||
- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
|
- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
|
||||||
- **Description**—more information about the component or activity identified by the rule
|
- **Description**—more information about the component or activity identified by the rule
|
||||||
- **Recommended actions**—additional actions that responders might take in response to an alert
|
- **Recommended actions**—additional actions that responders might take in response to an alert
|
||||||
|
|
||||||
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
|
For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
|
||||||
|
|
||||||
### Rule frequency
|
### Rule frequency
|
||||||
When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
|
|
||||||
|
When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
|
||||||
|
|
||||||
- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
|
- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
|
||||||
- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
|
- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
|
||||||
@ -81,22 +91,34 @@ When saved, a new or edited custom detection rule immediately runs and checks fo
|
|||||||
|
|
||||||
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
|
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
|
||||||
|
|
||||||
|
### Choose the impacted entities
|
||||||
|
|
||||||
|
Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
|
||||||
|
|
||||||
|
You can select only one column for each entity type. Columns that are not returned by your query can't be selected.
|
||||||
|
|
||||||
## 4. Specify actions on files or devices
|
## 4. Specify actions on files or devices
|
||||||
|
|
||||||
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
|
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
|
||||||
|
|
||||||
### Actions on devices
|
### Actions on devices
|
||||||
|
|
||||||
These actions are applied to devices in the `DeviceId` column of the query results:
|
These actions are applied to devices in the `DeviceId` column of the query results:
|
||||||
|
|
||||||
- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
|
- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
|
||||||
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
|
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
|
||||||
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
|
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
|
||||||
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
|
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
|
||||||
|
|
||||||
### Actions on files
|
### Actions on files
|
||||||
|
|
||||||
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
|
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
|
||||||
|
|
||||||
- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
|
- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
|
||||||
- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
|
- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
|
||||||
|
|
||||||
## 5. Set the rule scope
|
## 5. Set the rule scope
|
||||||
|
|
||||||
Set the scope to specify which devices are covered by the rule:
|
Set the scope to specify which devices are covered by the rule:
|
||||||
|
|
||||||
- All devices
|
- All devices
|
||||||
@ -105,10 +127,11 @@ Set the scope to specify which devices are covered by the rule:
|
|||||||
Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
|
Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
|
||||||
|
|
||||||
## 6. Review and turn on the rule
|
## 6. Review and turn on the rule
|
||||||
|
|
||||||
After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
|
After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
|
||||||
|
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
- [View and manage detection rules](custom-detections-manage.md)
|
- [View and manage detection rules](custom-detections-manage.md)
|
||||||
- [Custom detections overview](overview-custom-detections.md)
|
- [Custom detections overview](overview-custom-detections.md)
|
||||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||||
|
|||||||
Reference in New Issue
Block a user