From f0bc757c831247bff3837f4ab64ea68c6547579d Mon Sep 17 00:00:00 2001
From: Jake Mowrer <28117568+docbrown1981@users.noreply.github.com>
Date: Mon, 19 Aug 2019 14:22:46 -0500
Subject: [PATCH] Update custom-detection-rules.md

Adding verbiage about the requirement that the query must return specific fields for each row for it to work.  Line 29
---
 .../microsoft-defender-atp/custom-detection-rules.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 55180b158c..9561fe831c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -26,7 +26,7 @@ ms.topic: article
 Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
 
 >[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.  For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting.
 
 1. In the navigation pane, select **Advanced hunting**.