deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

custom_detections

Browse Source
This commit is contained in:
lomayor
2019-09-19 17:52:14 -07:00
parent 1b070bad3f
commit b9ca1661b4
2 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -29,14 +29,14 @@ Custom detection rules built from [Advanced hunting](overview-hunting.md) querie
>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
## Create a custom detection rule
### 1. Prepare the query
### 1. Prepare the query.
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
>[!NOTE]
>To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont `project` results will usually return these common columns.
>To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that dont use the `project` operator to customize results usually return these common columns.
### 2. Create new rule and provide alert details
### 2. Create new rule and provide alert details.
With the query in the query editor, select **Create detection rule** and specify the following alert details:
@ -57,20 +57,20 @@ When saved, custom detections rules immediately run. They then run again at fixe
- **Every 3 hours** — checks data from the past 6 hours
- **Every hour** — checks data from the past 2 hours
Similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
### 3. Specify actions on files or machines
### 3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
#### Actions on machines
These actions are automatically applied to machines in the `MachineId` column in the query results:
These actions are applied to machines in the `MachineId` column of the query results:
- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
#### Actions on files
Select one or more actions to automatically apply to files in the `SHA1` or the `InitiatingProcessSHA1` column in the query results:
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine

8
windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
View File

@ -1,7 +1,7 @@
---
title: Overview of custom detections in Microsoft Defender ATP
ms.reviewer:
description: Understand how you can leverage advanced hunting to create custom detections and generate alerts
description: Understand how you can use Advanced hunting to create custom detections and generate alerts
keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, intervals, mdatp, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -23,12 +23,12 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
With custom detections, you can proactively monitor for various events and system states, including suspected breach activity and misconfigured machines. You can create rules that automatically trigger alerts. You can also configure these rules such that specific response actions are automatically performed in response to a detection.
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions.
Custom detections leverage [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run regularly based on your preferred intervals, generating alerts and taking response actions whenever there are matches.
Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run regularly based on your preferred intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts from rule-based detections that leverage Advanced hunting queries
- Alerts from rule-based detections built from Advanced hunting queries
- Configurable query intervals from 1 hour to 24 hours
- Automatic response actions that apply to files and machines