| title | Overview of custom detections in Microsoft Defender XDR | ||
|---|---|---|---|
| description | Understand how you can use advanced hunting to create custom detections and generate alerts. | ||
| search.appverid | met150 | ||
| ms.service | defender-xdr | ||
| ms.subservice | adv-hunting | ||
| f1.keywords |
|
||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | dansimp | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.custom |
|
||
| ms.topic | overview | ||
| appliesto |
|
||
| ms.date | 06/27/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured endpoints. Custom detections are customizable detection rules that automatically trigger alerts and response actions.
Custom detections work with advanced hunting, which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detections provide:
- Alerts for rule-based detections built from advanced hunting queries
- Automatic response actions
Optimizing your queries in custom detection rules is important in avoiding time-outs and ensuring efficiency. There are several resources available that provide guidance on optimizing your queries in Advanced hunting query best practices.
- Create and manage custom detection rules
- Advanced hunting query best practices
- Migrate advanced hunting queries from Microsoft Defender for Endpoint
- Microsoft Graph security API for custom detections
[!INCLUDE Microsoft Defender XDR rebranding]