Query Details

Custom Detection Report for Microsoft Defender

Custom Detection Report

Query

search in(CloudAppEvents) 'Microsoft365Defender'
| where Timestamp > ago(180d)    // How far back to check
| where parse_json(RawEventData).Workload=='Microsoft365Defender'
// Track rule creation/mods/deletion
| where ActionType has_any ('CreateCustomDetection', 'EditCustomDetection', 'ChangeCustomDetectionRuleStatus', 'DeleteCustomDetection')
| extend RuleName = tostring((RawEventData).RuleName)
| extend RuleId = tostring((RawEventData).RuleId)
| extend Query = parse_json(RawEventData).Query
| extend AlertTitle = parse_json(RawEventData).AlertTitle
| extend Author = iff(ActionType=='CreateCustomDetection', parse_json(RawEventData).UserId, 'null')
| extend LastAuthor = parse_json(RawEventData).UserId
| extend AlertCategory = parse_json(RawEventData).AlertCategory
| extend AlertSeverity = parse_json(RawEventData).AlertSeverity
| extend MitreTechniques = parse_json(RawEventData).MitreTechniques
| extend RuleFrequency = parse_json(RawEventData).RuleFrequency
| extend CreationTime=iff(ActionType=='CreateCustomDetection', Timestamp, datetime(null))
| extend LastUpdateTime=iff(ActionType=='EditCustomDetection', Timestamp, datetime(null))
| extend IsEnabled = parse_json(RawEventData).IsEnabled
| extend IsEnabled = case(
  IsEnabled == false, 0,
  (IsEnabled == true) or ActionType=='CreateCustomDetection' or (ActionType=='EditCustomDetection' and Query has 'xxxFLAGxxx'), 1
  , int(null))
// Captures the latest states per rule name/id
| summarize arg_max(Timestamp, ActionType, CreationTime, LastUpdateTime, AlertTitle, Author, LastAuthor, 
  IsEnabled, AlertCategory, AlertSeverity, MitreTechniques, RuleFrequency, Query) 
  by RuleName, RuleId
//| project-away Query

About this query

Explanation

This query is designed to track and report on custom detection rules in Microsoft Defender for Endpoint/XDR. It focuses on actions like creating, editing, and deleting these rules. The data is sourced from the CloudAppEvents table.

Here's a simplified breakdown of what the query does:

  1. Data Source and Time Frame: It searches the CloudAppEvents table for events related to Microsoft365Defender that occurred in the last 180 days.

  2. Action Tracking: It filters events to include only those related to creating, editing, changing the status, or deleting custom detection rules.

  3. Extracting Information: The query extracts various details about each rule, such as:

    • Rule name and ID
    • The query used in the rule
    • Alert title, category, and severity
    • Author and last person to modify the rule
    • MITRE ATT&CK techniques associated with the rule
    • Rule frequency and timestamps for creation and last update
  4. Flagging Existing Rules: To track existing rules, it suggests adding a comment flag (xxxFLAGxxx) in the rule's query. This triggers an 'Edit' event, allowing the rule to be tracked even if it hasn't been modified otherwise.

  5. Summarizing Results: The query summarizes the latest state of each rule by capturing the most recent information for each rule name and ID.

  6. Output: The result is a concise report of the current state and history of custom detection rules, which can be used for further analysis or reporting.

This query is useful for security teams to monitor and manage custom detection rules effectively, ensuring they are up-to-date and functioning as intended.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsMicrosoft365DefenderTimestampRawEventDataActionTypeRuleNameRuleIdQueryAlertTitleAuthorLastAuthorAlertCategoryAlertSeverityMitreTechniquesRuleFrequencyCreationTimeLastUpdateTimeIsEnabled

Operators

searchinwhereparse_jsonhas_anyextendtostringiffcasesummarizearg_maxbyagodatetimeint

MITRE Techniques

Actions

GitHub