Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.
Tip
Alerts raised by custom detections are available over alerts and incident APIs. For more information, see Supported Microsoft Defender XDR APIs.
For users who have onboarded a Microsoft Sentinel workspace to the unified Microsoft Defender portal, the custom detection rules list includes analytics rules. The following sections also apply to analytics rules unless otherwise indicated.
View existing rules
To view your existing custom detection rules and analytics rules, navigate to Hunting > Custom detection rules.
You can filter for any column by going to Add filter, selecting the columns you want to filter for, and selecting Add. For each of the chosen columns, select the corresponding pill beside Filters:, select the columns, then Apply.
To search for specific rules, go to the search box in the upper right of the page and enter the name or rule ID of the rule you are looking for.
For multiworkspace organizations that onboarded multiple workspaces to Microsoft Defender, you can filter for workspaces using the columns Workspace ID or Workspace name.
The page lists all the rules with the following run information:
- Last run - When a rule was last run to check for query matches and generate alerts
- Last run status - Whether a rule ran successfully (for custom detection rules only)
- Next run - The next scheduled run
- Status - Whether a rule has been turned on or off
View rule details, modify rule, and run rule
To view comprehensive information about a custom detection rule or an analytics rule, go to Hunting > Custom detection rules and then select the name of rule. You can then view general information about the rule, including information, its run status, and scope. The page also provides the list of triggered alerts and actions.
You can also take the following actions on the rule from this page:
- Open detection rule page - opens the detection rule page to view triggered alerts and review actions (for custom detection rules only)
- Run - runs the rule immediately; this also resets the interval for the next run (for custom detection rules only)
- Edit - allows you to modify the rule without changing the query
- Modify query - allows you to edit the query in advanced hunting
- Turn on / Turn off - allows you to enable the rule or stop it from running
- Delete - allows you to turn off the rule and remove it
View and manage triggered alerts
In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered alerts, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:
- Manage the alert by setting its status and classification (true or false alert)
- Link the alert to an incident
- Run the query that triggered the alert on advanced hunting
Review actions
In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered actions, which lists the actions taken based on matches to the rule.
Tip
To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
See also
- Custom detections overview
- Advanced hunting overview
- Learn the advanced hunting query language
- Migrate advanced hunting queries from Microsoft Defender for Endpoint
- Microsoft Graph security API for custom detections
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.