{"id":30990,"date":"2025-10-08T20:21:35","date_gmt":"2025-10-08T20:21:35","guid":{"rendered":"https:\/\/endusersupports.com\/?p=30990"},"modified":"2026-05-09T07:26:01","modified_gmt":"2026-05-09T07:26:01","slug":"how-to-create-detection-rule-in-microsoft-defender-for-endpoints","status":"publish","type":"post","link":"https:\/\/endusersupports.com\/index.php\/2025\/10\/08\/how-to-create-detection-rule-in-microsoft-defender-for-endpoints\/","title":{"rendered":"How to Create Detection Rule in Microsoft Defender for Endpoints"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

How to create Detection rule in Microsoft Defender<\/b><\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
A custom detection rule is a rule you create using KQL that runs on endpoint telemetry and raises an alert when your defined suspicious conditions are met.<\/div>
\u00a0<\/div>
A Custom Detection Rule in Microsoft Defender for Endpoint (MDE) is a user\u2011defined rule that automatically generates alerts based on Advanced Hunting queries. It allows security teams to detect environment\u2011specific threats that aren\u2019t covered by Microsoft\u2019s built\u2011in detections.<\/div><\/div>
\u00a0<\/div>
Custom Detection Rules uses.<\/strong><\/h6>

Microsoft\u2019s default detections cover common and known attack patterns.
Custom detection rules are used when you want to detect:<\/p>

  • Organization\u2011specific attack techniques<\/li>
  • Abuse of internal tools or scripts<\/li>
  • Rare admin or PowerShell activity<\/li>
  • Suspicious behavior not blocked but worth alerting on<\/li>
  • Early indicators of compromise (IOC\u2011based or behavior\u2011based)<\/li><\/ul>
    How Custom Detection Rules Work<\/strong><\/h6><\/div>
    1. Telemetry is collected from endpoints (processes, files, network, registry, logons, etc.)<\/li>
    2. A KQL query (Advanced Hunting query) is defined<\/li>
    3. MDE runs the query on a schedule<\/li>
    4. If conditions match \u2192 Alert is generated<\/li>
    5. Alert is added to an Incident for triage and response<\/li><\/ol>

      \u00a0Custom detection rules detect and alert \u2014 they do not block activity.<\/span><\/p>

      KQL Query<\/h6>

      Uses Advanced Hunting tables, such as:<\/p>

      • DeviceProcessEvents<\/code><\/li>
      • DeviceNetworkEvents<\/code><\/li>
      • DeviceFileEvents<\/code><\/li>
      • DeviceLogonEvents<\/code><\/li>
      • DeviceRegistryEvents<\/code><\/li><\/ul>

        <\/p>

        DeviceProcessEvents<\/div>
        | where InitiatingProcessFileName == “winword.exe”<\/div>
        | where FileName in (“powershell.exe”, “cmd.exe”)<\/div><\/blockquote>
        Rule Frequency<\/h6>

        Controls how often the rule runs:<\/p>

        • Every hour<\/li>
        • Every day<\/li>
        • Custom interval<\/li><\/ul>
          Alert Threshold<\/h6>

          Defines when an alert should trigger:<\/p>

          • Any matching event<\/li>
          • After a certain number of events<\/li>
          • Grouped by:
            • Device<\/li>
            • User<\/li>
            • Process<\/li><\/ul><\/li><\/ul><\/div><\/div><\/div><\/div><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

              How to create Detection rule in Microsoft Defender A custom detection rule is a rule you create using KQL that runs on endpoint telemetry and raises an alert when your defined suspicious conditions are met.\u00a0A Custom Detection Rule in Microsoft Defender for Endpoint (MDE) is a user\u2011defined rule that automatically generates alerts based on Advanced […]<\/p>\n","protected":false},"author":1,"featured_media":31034,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[],"class_list":["post-30990","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-defender-for-endpoint"],"views":14,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/posts\/30990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/comments?post=30990"}],"version-history":[{"count":10,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/posts\/30990\/revisions"}],"predecessor-version":[{"id":31023,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/posts\/30990\/revisions\/31023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/media\/31034"}],"wp:attachment":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/media?parent=30990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/categories?post=30990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/tags?post=30990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}