How to create Detection rule in Microsoft Defender
A custom detection rule is a rule you create using KQL that runs on endpoint telemetry and raises an alert when your defined suspicious conditions are met.
A Custom Detection Rule in Microsoft Defender for Endpoint (MDE) is a user‑defined rule that automatically generates alerts based on Advanced Hunting queries. It allows security teams to detect environment‑specific threats that aren’t covered by Microsoft’s built‑in detections.
Custom Detection Rules uses.
Microsoft’s default detections cover common and known attack patterns.
Custom detection rules are used when you want to detect:
- Organization‑specific attack techniques
- Abuse of internal tools or scripts
- Rare admin or PowerShell activity
- Suspicious behavior not blocked but worth alerting on
- Early indicators of compromise (IOC‑based or behavior‑based)
How Custom Detection Rules Work
- Telemetry is collected from endpoints (processes, files, network, registry, logons, etc.)
- A KQL query (Advanced Hunting query) is defined
- MDE runs the query on a schedule
- If conditions match → Alert is generated
- Alert is added to an Incident for triage and response
Custom detection rules detect and alert — they do not block activity.
KQL Query
Uses Advanced Hunting tables, such as:
DeviceProcessEventsDeviceNetworkEventsDeviceFileEventsDeviceLogonEventsDeviceRegistryEvents
DeviceProcessEvents| where InitiatingProcessFileName == “winword.exe”| where FileName in (“powershell.exe”, “cmd.exe”)
Rule Frequency
Controls how often the rule runs:
- Every hour
- Every day
- Custom interval
Alert Threshold
Defines when an alert should trigger:
- Any matching event
- After a certain number of events
- Grouped by:
- Device
- User
- Process