From ef4bcd9beef442a52012b309299729cdb9f6a92a Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Sep 2019 15:08:53 -0700 Subject: [PATCH] mdatp_custom_detections_refresh --- .../custom-detection-rules.md | 91 ++++++++++++------- .../overview-custom-detections.md | 25 +++-- 2 files changed, 70 insertions(+), 46 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 9561fe831c..4bc2b0118b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,16 +1,16 @@ --- -title: Create custom detection rules in Microsoft Defender ATP +title: Create and manage custom detection rules in Microsoft Defender ATP ms.reviewer: description: Learn how to create custom detections rules based on advanced hunting queries -keywords: create custom detections, detections, advanced hunting, hunt, detect, query +keywords: custom detections, create, alerts, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,53 +19,78 @@ ms.topic: article --- -# Create custom detections rules +# Create and manage custom detections rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found. +Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. >[!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting. +>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. -1. In the navigation pane, select **Advanced hunting**. +## Create a custom detection rule +### 1. Prepare the query -2. Select an existing query that you'd like to base the monitor on or create a new query. +In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. -3. Select **Create detection rule**. +>[!NOTE] +>To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t `project` results will usually return these common columns. -4. Specify the alert details: +### 2. Create new rule and provide alert details - - Alert title - - Severity - - Category - - Description - - Recommended actions +With the query in the query editor, select **Create detection rule** and specify the following alert details: -5. Click **Create**. +- **Alert title** +- **Severity** +- **Frequency** (see additional guidance below) +- **Category** +- **Description** +- **Recommended actions** -> [!TIP] -> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.
-> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours.
-> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours. +For more information about these alert details, [read about managing alerts](manage-alerts.md). + +#### Rule frequency +When saved, custom detections rules immediately run. They then run again at fixed intervals based on the frequency you choose. Rules that run less frequently will have longer lookback durations. + +- **Every 24 hours** — checks data from the past 30 days +- **Every 12 hours** — checks data from the past 24 hours +- **Every 3 hours** — checks data from the past 6 hours +- **Every hour** — checks data from the past 2 hours + +Similar detections on the same machine could be aggregated into fewer alerts, so running a rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor detections and your organization's capacity to respond to the alerts. + +### 3. Specify actions on files or machines +Your custom detection rule can automatically take actions on files or machines that are returned by the query. + +#### Actions on machines +These actions are automatically applied to machines in the `MachineId` column in the query results: +- **Isolate machine** — prevent the machine from connecting to the network. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) +- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) +- **Run antivirus scan** — perform a full Windows Defender Antivirus scan on the machine +- **Initiate investigation** — initiate an [automated investigation](automated-investigations.md) on the machine + +#### Actions on files +Select one or more actions to automatically apply to files in the `SHA1` or the `InitiatingProcessSHA1` column in query results: +- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule. +- **Quarantine file** — deletes the file from its current location and places a copy in quarantine + +### 4. Click **Create** to save and turn on the rule. ## Manage existing custom detection rules -View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules. +View your existing detection rules and check their results to assess how effective they have been. You can also run a rule on demand and modify it. -1. In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections created in the system. +1. In the navigation pane, select **Settings** > **Custom detections** to see all the detection rules. 2. Select one of the rules to take any of the following actions: - - Open related alerts - See all the alerts that were raised based to this rule - - Run - Run the selected detection immediately. - - > [!NOTE] - > The next run for the query will be in 24 hours after the last run. - - - Edit - Modify the settings of the rule. - - Modify query - View and edit the query itself. - - Turn off - Stop the query from running. - - Delete + - **Open detection rule page** — see all rule details, including all the alerts that were triggered and actions taken + - **Run** — run the rule immediately. This resets the interval for the next run. + - **Edit** — modify the rule without changing the query + - **Modify query** - open the query in Advanced hunting to edit it + - **Turn on** / **Turn off** - enable the rule or stop it from running + - **Delete** + >[!TIP] + >You can also take these actions from the detection rule page. ## Related topic - [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 9579771415..df7e004ade 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -1,16 +1,16 @@ --- -title: Custom detections overview +title: Overview of custom detections in Microsoft Defender ATP ms.reviewer: -description: Understand how you can leverage the power of advanced hunting to create custom detections -keywords: custom detections, detections, advanced hunting, hunt, detect, query +description: Understand how you can leverage advanced hunting to create custom detections and generate alerts +keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, intervals, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -23,18 +23,17 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +With custom detections, you can proactively monitor for various events and system states, including suspected breach activity and misconfigured machines. You can create rules that automatically trigger alerts. You can also configure these rules such that specific response actions are automatically performed in response to a detection. -Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious events or emerging threats. +Custom detections leverage [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run regularly based on your preferred intervals, generating alerts and taking response actions whenever there are matches. -This can be done by leveraging the power of [Advanced hunting](overview-hunting.md) through the creation of custom detection rules. -Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system. - -This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats. +Custom detections provide: +- Alerts from rule-based detections that leverage Advanced hunting queries +- Configurable query intervals from 1 hour to 24 hours +- Automatic response actions that apply to files and machines >[!NOTE] >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Related topic -- [Create custom detection rules](custom-detection-rules.md) - - +- [Create and manage custom detection rules](custom-detection-rules.md) \ No newline at end of file