deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-13 17:43:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
Joey Caparas 4af6c8dff0 fixes
2019-03-14 13:18:52 -07:00

66 lines
2.4 KiB
Markdown
Raw Blame History

---
title: Create custom detection rules in Windows Defender ATP
description: Learn how to create custom detections rules based on advanced hunting queries
keywords: create custom detections, detections, advanced hunting, hunt, detect, query
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Create custom detections rules
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
1. In the navigation pane, select **Advanced hunting**.
2. Select an existing query that you'd like to base the monitor on or create a new query.
3. Select **Create detection rule**.
4. Specify the alert details:
- Alert title
- Severity
- Category
- Description
- Recommended actions
5. Click **Create**.
> [!TIP]
> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.<br>
> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours. <br>
> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours.
## Manage existing custom detection rules
View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules.
1. In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections created in the system.
2. Select one of the rules to take any of the following actions:
- Open related alerts - See all the alerts that were raised based to this rule
- Run - Run the selected detection immediately.
> [!NOTE]
> The next run for the query will be in 24 hours after the last run.
- Edit - Modify the settings of the rule.
- Modify query - View and edit the query itself.
- Turn off - Stop the query from running.
- Delete
## Related topic
- [Custom detections overview](overview-custom-detections.md)
Reference in New Issue View Git Blame Copy Permalink