From c9871554bb25ae15e56c4758298cc4d223d6d087 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 28 Sep 2019 05:43:15 +0500 Subject: [PATCH] Added query as example Added query in the document as an example. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4904 --- .../microsoft-defender-atp/custom-detection-rules.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 0af9f2e7a8..60f414ff15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -26,7 +26,7 @@ ms.topic: article Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. >[!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. +>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Create a custom detection rule ### 1. Prepare the query. @@ -36,6 +36,13 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an >[!NOTE] >To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. +>[Example] +>MiscEvents +| where EventTime > ago(7d) +| where ActionType == "AntivirusDetection" +| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId +This will fetch latest EventTime and ReportId of the latest event among multiple events returned by the query and adds the count by MachineId. + ### 2. Create new rule and provide alert details. With the query in the query editor, select **Create detection rule** and specify the following alert details: