- 10 minutes to read
Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.
- Microsoft 365 Defender
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Required permissions for managing custom detections
To manage custom detections, you need to be assigned one of these roles:
Security administrator—Users with this Azure Active Directory role can manage security settings in the Microsoft 365 Defender portal and other portals and services.
Security operator—Users with this Azure Active Directory role can manage alerts and have global read-only access to security-related features, including all information in the Microsoft 365 Defender portal. This role is sufficient for managing custom detections only if role-based access control (RBAC) is turned off in Microsoft Defender for Endpoint. If you have RBAC configured, you also need the manage security settings permission for Defender for Endpoint.
You can also manage custom detections that apply to data from specific Microsoft 365 Defender solutions if you have permissions for them. If you only have manage permissions for Microsoft 365 Defender for Office, for instance, you can create custom detections using
To manage required permissions, a global administrator can:
- Assign the security administrator or security operator role in Microsoft 365 admin center under Roles > Security admin.
- Check RBAC settings for Microsoft Defender for Endpoint in Microsoft 365 Defender under Settings > Permissions > Roles. Select the corresponding role to assign the manage security settings permission.
To manage custom detections, security operators will need the manage security settings permission in Microsoft Defender for Endpoint if RBAC is turned on.
Create a custom detection rule
1. Prepare the query.
In the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
Required columns in the query results
To create a custom detection rule, the query must return the following columns:
Timestamp—used to set the timestamp for generated alerts
ReportId—enables lookups for the original records
- One of the following columns that identify specific devices, users, or mailboxes:
SenderFromAddress(envelope sender or Return-Path address)
SenderMailFromAddress(sender address displayed by email client)
Support for additional entities will be added as new tables are added to the advanced hunting schema.
Simple queries, such as those that don't use the
summarize operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by entity under a column such as
DeviceId, you can still return
ReportId by getting it from the most recent event involving each unique
Avoid filtering custom detections using the
Timestamp column. The data used for custom detections is pre-filtered based on the detection frequency.
The sample query below counts the number of unique devices (
DeviceId) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest
Timestamp and the corresponding
ReportId, it uses the
summarize operator with the
DeviceEvents| where ingestion_time() > ago(1d)| where ActionType == "AntivirusDetection"| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId| where count_ > 5
For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data.
2. Create new rule and provide alert details.
With the query in the query editor, select Create detection rule and specify the following alert details:
- Detection name—name of the detection rule; should be unique
- Frequency—interval for running the query and taking action. See additional guidance below
- Alert title—title displayed with alerts triggered by the rule; should be unique
- Severity—potential risk of the component or activity identified by the rule
- Category—threat component or activity identified by the rule
- MITRE ATT&CK techniques—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is hidden for certain alert categories, including malware, ransomware, suspicious activity, and unwanted software
- Description—more information about the component or activity identified by the rule
- Recommended actions—additional actions that responders might take in response to an alert
When you save a new rule, it runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose:
- Every 24 hours—runs every 24 hours, checking data from the past 30 days
- Every 12 hours—runs every 12 hours, checking data from the past 48 hours
- Every 3 hours—runs every 3 hours, checking data from the past 12 hours
- Every hour—runs hourly, checking data from the past 4 hours
When you edit a rule, it will run with the applied changes in the next run time scheduled according to the frequency you set. The rule frequency is based on the event timestamp and not the ingestion time.
Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored.
Select the frequency that matches how closely you want to monitor detections. Consider your organization's capacity to respond to the alerts.
3. Choose the impacted entities.
Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return sender (
SenderMailFromAddress) and recipient (
RecipientEmailAddress) addresses. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions.
You can select only one column for each entity type (mailbox, user, or device). Columns that are not returned by your query can't be selected.
4. Specify actions.
Your custom detection rule can automatically take actions on devices, files, users, or emails that are returned by the query.
Actions on devices
These actions are applied to devices in the
DeviceId column of the query results:
- Isolate device—uses Microsoft Defender for Endpoint to apply full network isolation, preventing the device from connecting to any application or service. Learn more about Microsoft Defender for Endpoint machine isolation
- Collect investigation package—collects device information in a ZIP file. Learn more about the Microsoft Defender for Endpoint investigation package
- Run antivirus scan—performs a full Microsoft Defender Antivirus scan on the device
- Initiate investigation—initiates an automated investigation on the device
- Restrict app execution—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run. Learn more about app restrictions with Microsoft Defender for Endpoint
Actions on files
When selected, the Allow/Block action can be applied to the file. Blocking files are only allowed if you have Remediate permissions for files and if the query results have identified a file ID, such as a SHA1. Once a file is blocked, other instances of the same file in all devices are also blocked. You can control which device group the blocking is applied to, but not specific devices.
When selected, the Quarantine file action can be applied to files in the
InitiatingProcessSHA256column of the query results. This action deletes the file from its current location and places a copy in quarantine.
Actions on users
When selected, the Mark user as compromised action is taken on users in the
RecipientObjectIdcolumn of the query results. This action sets the users risk level to "high" in Azure Active Directory, triggering corresponding identity protection policies.
Select Disable user to temporarily prevent a user from logging in.(Video) CUSTOM DETECTIONS IN MICROSOFT 365 DEFENDER
Select Force password reset to prompt the user to change their password on the next sign in session.
Both the Disable user and Force password reset options require the user SID, which are in the columns
For more details on user actions, read Remediation actions in Microsoft Defender for Identity.
Actions on emails
If the custom detection yields email messages, you can select Move to mailbox folder to move the email to a selected folder (any of Junk, Inbox, or Deleted items folders).
Alternatively, you can select Delete email and then choose to either move the emails to Deleted Items (Soft delete) or delete the selected emails permanently (Hard delete).
RecipientEmailAddress must be present to apply actions to email messages.
5. Set the rule scope.
Set the scope to specify which devices are covered by the rule. The scope influences rules that check devices and doesn't affect rules that check only mailboxes and user accounts or identities.
When setting the scope, you can select:
- All devices
- Specific device groups
Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
6. Review and turn on the rule.
After reviewing the rule, select Create to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
Custom detections should be regularly reviewed for efficiency and effectiveness. To make sure you are creating detections that trigger true alerts, take time to review your existing custom detections by following the steps in Manage existing custom detection rules.
You maintain control over the broadness or specificity of your custom detections so any false alerts generated by custom detections might indicate a need to modify certain parameters of the rules.
Manage existing custom detection rules
You can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
Alerts raised by custom detections are available over alerts and incident APIs. For more information, see Supported Microsoft 365 Defender APIs.
View existing rules
To view all existing custom detection rules, navigate to Hunting > Custom detection rules. The page lists all the rules with the following run information:
- Last run—when a rule was last run to check for query matches and generate alerts
- Last run status—whether a rule ran successfully
- Next run—the next scheduled run
- Status—whether a rule has been turned on or off
View rule details, modify rule, and run rule
To view comprehensive information about a custom detection rule, go to Hunting > Custom detection rules and then select the name of rule. You can then view general information about the rule, including information its run status and scope. The page also provides the list of triggered alerts and actions.
Custom detection rule details
You can also take the following actions on the rule from this page:
- Run—run the rule immediately. This also resets the interval for the next run.
- Edit—modify the rule without changing the query
- Modify query—edit the query in advanced hunting
- Turn on / Turn off—enable the rule or stop it from running
- Delete—turn off the rule and remove it
View and manage triggered alerts
In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered alerts, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:
- Manage the alert by setting its status and classification (true or false alert)
- Link the alert to an incident
- Run the query that triggered the alert on advanced hunting
In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered actions, which lists the actions taken based on matches to the rule.
To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
Some columns in this article might not be available in Microsoft Defender for Endpoint. Turn on Microsoft 365 Defender to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.
- Custom detections overview
- Advanced hunting overview
- Learn the advanced hunting query language
- Migrate advanced hunting queries from Microsoft Defender for Endpoint
Which type of alert can you manage from the Microsoft 365 Defender? ›
This article describes security alerts in Microsoft 365 Defender. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see Create activity alerts - Microsoft Purview | Microsoft Docs.What two ways can you use to manage access to Microsoft 365 Defender functionality and data? ›
- Global Azure Active Directory (AD) roles.
- Custom role access.
- Log in to Microsoft 365 Defender using an account with the Security administrator or Global administrator role assigned.
- In the navigation pane, select Settings > Endpoints > Advanced features.
- Select the advanced feature you want to configure and toggle the setting between On and Off.
Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints, Office 365, cloud applications, and identity.What is the difference between an alert and incident in Microsoft 365 defender? ›
An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack.How do I create an alert policy in Office 365? ›
Login to Office 365 Security & Compliance Center at https://protection.office.com. Expand “Alerts” in left navigation >> Click on “Alert Policies” >> Click on the “New Alert Policy” button. Provide a name for your alert, add description, severity and select category and click on “Next”How do I preset policies in defender for Office 365? ›
Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies in the Templated policies section.What are the four categories of reporting found in the Microsoft 365 defender portal? ›
What permissions are needed to view the Defender for Office 365 reports?
- Organization Management.
- Security Administrator.
- Security Reader.
- Global Reader.
Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions.Does Office 365 include advanced threat protection? ›
Microsoft Defender for Office 365 Plan 1
Defender for Office 365 Plan 1 offers protection against advanced attacks across email and collaboration tools in Office 365.
How do I add a whitelist in Microsoft 365 defender? ›
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Policies & rules > Threat Policies > Rules section > Tenant Allow/Block Lists. Or, to go directly to the Tenant Allow/Block List page, use https://security.microsoft.com/tenantAllowBlockList. Add.How do I add an exception to advanced threat defense? ›
- Click Protection on the navigation menu on the Bitdefender interface.
- In the Advanced Threat Defense pane, click Open.
- In the Settings tab, click Manage exceptions.
- Next, click + Add an Exception.
- Now, enter the path of the process name (.
- Prepare the query. In the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. ...
- Create new rule and provide alert details. ...
- Choose the impacted entities. ...
- Specify actions. ...
- Set the rule scope. ...
- Review and turn on the rule.
An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that define the complete story of an attack.What does Windows Defender do when it finds a threat? ›
As soon as Microsoft Defender detects a malicious file or software, Microsoft Defender blocks it and prevents it from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and antimalware engine so that your other devices and users are protected, as well.What are the three types of alerts? ›
There are three major alert systems: Wireless Emergency Alerts, Emergency Alert System and Opt-In Alert Systems. Each system has different ways of communicating with people, but all of the emergency alert systems provide a way to let people know when there is something wrong.Is Microsoft 365 Defender an EDR? ›
You can continue to set EDR in block mode tenant-wide in the Microsoft 365 Defender portal. EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device).Is Microsoft Defender considered EDR? ›
Microsoft Defender for Endpoint (previous Microsoft Defender ATP) is the post-breach EDR solution from Microsoft. The product has an agent on the endpoint(s) is connected to the Cloud (always up-to-date). Multiple alerts linked by an entity (e.g. attack technique) are aggregated into an incident.How do I create a custom DLP policy in Office 365? ›
- In the EAC, navigate to Compliance management > Data loss prevention. ...
- Click the arrow that is beside the Add. ...
- On the New custom policy page, complete the following fields: ...
- Click Save to finish creating the new policy reference information.
Click File > Manage Rules & Alerts. Check the box next to the rule that you want to modify. Click Change Rule, click the type of change you want to make, and then complete the steps. Note: To delete a rule, in the Rules and Alerts dialog, check the box next to the rule, and then click Delete.
How do I preset security policies in defender? ›
Enable Security Presets in Microsoft Defender for Office 365
Login to the Microsoft Security portal at https://security.microsoft.com. On the left nav, under Email & collaboration, select Policies & rules. Select Threat policies. Select Manage underneath the Standard protection preset.
From the left menu of the Dashboard, in the Manage section, select Properties. At the bottom of the Properties page, select Manage Security defaults. In the right pane, you'll see the Enable Security defaults setting. If Yes is selected, then security defaults are already enabled and no further action is required.How do I change the default MRM policy in Office 365? ›
Create a custom retention policy
To change the policy name in Office 365 navigate to Office 365 Admin > Exchange admin center > compliance management > retention policies. Next, select Default MRM Policy, click the edit icon and then change the name of the policy.
Microsoft 365's internal compliance program is designed to ensure security and privacy are considered at all phases of the development process. Each service begins the assurance lifecycle with the execution of three related efforts: security, privacy, and compliance.Can Windows Defender send email notification? ›
In Microsoft 365 Defender, you can add recipients for email notifications of detected alerts. In Microsoft 365 Defender, go to Settings and then Identities. Select Alert notifications. Enter the recipient's email address.
Data storage location
Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States.
One key difference between the two is that Office 365 does not include any endpoint security features, whereas Microsoft Defender for Endpoint is specifically designed to help protect your business against endpoint threats.What is the difference between Microsoft Defender and Windows Defender? ›
Microsoft Defender is included in a Microsoft 365 Family or Personal subscription and works on your phone (Android or iOS), PC, and Mac. Windows Security, formerly known as Windows Defender Security Center, is an app built into Windows 10 or 11 that helps keep your PC more secure.What is better than Microsoft Defender? ›
Norton 360 — Best Antivirus Alternative to Microsoft's Windows Defender in 2023. Norton 360 is better than Windows Defender in every aspect — it has higher malware detection rates, better internet security protections, more additional features, and coverage for more platforms.What is Windows Defender security alert? ›
What is the Windows Defender security warning? Windows Defender security warning is a type of scareware or a phishing scam. It redirects you to a page that looks like the official Microsoft website, even though its URL suggests otherwise.
What are the four categories of reporting found in the Microsoft 365 Defender Portal? ›
What permissions are needed to view the Defender for Office 365 reports?
- Organization Management.
- Security Administrator.
- Security Reader.
- Global Reader.
Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed and you can access all alerts in the Alerts queue.What protection does Microsoft Defender provide? ›
Windows Security includes Microsoft Defender Antivirus software that protects your Windows device and data against viruses, ransomware, trojans, and other malware unless a non-Microsoft Antivirus is active.What is the difference between Windows security and Microsoft Defender? ›
Windows Security is built-in to Windows and includes an antivirus program called Microsoft Defender Antivirus. (In early versions of Windows 10, Windows Security is called Windows Defender Security Center).Does Windows Defender always detect malware? ›
Like other anti-malware applications, Windows Defender automatically runs in the background, scanning files when they are accessed and before user open them. When a malware is detected, Windows Defender inform you. It won't ask you what you want to do with the malicious software it finds.Does Windows Defender automatically remove threats? ›
The Windows Defender Offline scan will automatically detect and remove or quarantine malware.How do I preset policies in Defender for Office 365? ›
Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies in the Templated policies section.