Custom Detection Report for Microsoft Defender
Custom Detection Report
Query
search in(CloudAppEvents) 'Microsoft365Defender'
| where Timestamp > ago(180d) // How far back to check
| where parse_json(RawEventData).Workload=='Microsoft365Defender'
// Track rule creation/mods/deletion
| where ActionType has_any ('CreateCustomDetection', 'EditCustomDetection', 'ChangeCustomDetectionRuleStatus', 'DeleteCustomDetection')
| extend RuleName = tostring((RawEventData).RuleName)
| extend RuleId = tostring((RawEventData).RuleId)
| extend Query = parse_json(RawEventData).Query
| extend AlertTitle = parse_json(RawEventData).AlertTitle
| extend Author = iff(ActionType=='CreateCustomDetection', parse_json(RawEventData).UserId, 'null')
| extend LastAuthor = parse_json(RawEventData).UserId
| extend AlertCategory = parse_json(RawEventData).AlertCategory
| extend AlertSeverity = parse_json(RawEventData).AlertSeverity
| extend MitreTechniques = parse_json(RawEventData).MitreTechniques
| extend RuleFrequency = parse_json(RawEventData).RuleFrequency
| extend CreationTime=iff(ActionType=='CreateCustomDetection', Timestamp, datetime(null))
| extend LastUpdateTime=iff(ActionType=='EditCustomDetection', Timestamp, datetime(null))
| extend IsEnabled = parse_json(RawEventData).IsEnabled
| extend IsEnabled = case(
IsEnabled == false, 0,
(IsEnabled == true) or ActionType=='CreateCustomDetection' or (ActionType=='EditCustomDetection' and Query has 'xxxFLAGxxx'), 1
, int(null))
// Captures the latest states per rule name/id
| summarize arg_max(Timestamp, ActionType, CreationTime, LastUpdateTime, AlertTitle, Author, LastAuthor,
IsEnabled, AlertCategory, AlertSeverity, MitreTechniques, RuleFrequency, Query)
by RuleName, RuleId
//| project-away QueryAbout this query
Explanation
This query is designed to track and report on custom detection rules in Microsoft Defender for Endpoint/XDR. It focuses on actions like creating, editing, and deleting these rules. The data is sourced from the CloudAppEvents table.
Here's a simplified breakdown of what the query does:
-
Data Source and Time Frame: It searches the
CloudAppEventstable for events related to Microsoft365Defender that occurred in the last 180 days. -
Action Tracking: It filters events to include only those related to creating, editing, changing the status, or deleting custom detection rules.
-
Extracting Information: The query extracts various details about each rule, such as:
- Rule name and ID
- The query used in the rule
- Alert title, category, and severity
- Author and last person to modify the rule
- MITRE ATT&CK techniques associated with the rule
- Rule frequency and timestamps for creation and last update
-
Flagging Existing Rules: To track existing rules, it suggests adding a comment flag (
xxxFLAGxxx) in the rule's query. This triggers an 'Edit' event, allowing the rule to be tracked even if it hasn't been modified otherwise. -
Summarizing Results: The query summarizes the latest state of each rule by capturing the most recent information for each rule name and ID.
-
Output: The result is a concise report of the current state and history of custom detection rules, which can be used for further analysis or reporting.
This query is useful for security teams to monitor and manage custom detection rules effectively, ensuring they are up-to-date and functioning as intended.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators
MITRE Techniques