Edit

Share via


Manage existing custom detection rules

You can view the list of existing custom detection rules, check their previous runs, and review the alerts that were triggered. You can also run a rule on demand and modify it.

Tip

Alerts raised by custom detections are available over alerts and incident APIs. For more information, see Supported Microsoft Defender XDR APIs.

For users who have onboarded a Microsoft Sentinel workspace to the unified Microsoft Defender portal, the custom detection rules list includes analytics rules. The following sections also apply to analytics rules unless otherwise indicated.

View existing rules

To view your existing custom detection rules and analytics rules, navigate to Hunting > Custom detection rules.

Screenshot of the Custom detection rules page in the Microsoft Defender portal.

You can filter for any column by going to Add filter, selecting the columns you want to filter for, and selecting Add. For each of the chosen columns, select the corresponding pill beside Filters:, select the columns, then Apply.

To search for specific rules, go to the search box in the upper right of the page and enter the name or rule ID of the rule you are looking for.

For multiworkspace organizations that onboarded multiple workspaces to Microsoft Defender, you can filter for workspaces using the columns Workspace ID or Workspace name.

The page lists all the rules with the following run information:

  • Last run - When a rule was last run to check for query matches and generate alerts
  • Last run status - Whether a rule ran successfully (for custom detection rules only)
  • Next run - The next scheduled run
  • Status - Whether a rule has been turned on or off

View rule details, modify rule, and run rule

To view comprehensive information about a custom detection rule or an analytics rule, go to Hunting > Custom detection rules and then select the name of rule. You can then view general information about the rule, including information, its run status, and scope. The page also provides the list of triggered alerts and actions.

Screenshot of the Custom detection rule details page in the Microsoft Defender portal.

You can also take the following actions on the rule from this page:

  • Open detection rule page - opens the detection rule page to view triggered alerts and review actions (for custom detection rules only)
  • Run - runs the rule immediately; this also resets the interval for the next run (for custom detection rules only)
  • Edit - allows you to modify the rule without changing the query
  • Modify query - allows you to edit the query in advanced hunting
  • Turn on / Turn off - allows you to enable the rule or stop it from running
  • Delete - allows you to turn off the rule and remove it

View and manage triggered alerts

In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered alerts, which lists the alerts generated by matches to the rule. Select an alert to view detailed information about it and take the following actions:

  • Manage the alert by setting its status and classification (true or false alert)
  • Link the alert to an incident
  • Run the query that triggered the alert on advanced hunting

Review actions

In the rule details screen (Hunting > Custom detections > [Rule name]), go to Triggered actions, which lists the actions taken based on matches to the rule.

Tip

To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.