Custom Detections
Create custom detection rules using KQL (Kusto Query Language) to find specific threat patterns in your environment.
Detection Rule Components
| Component | Description |
|---|---|
| Query | KQL query against advanced hunting tables |
| Frequency | How often the query runs (1-24 hours) |
| Alert title | Name for generated alerts |
| Severity | Alert severity level |
| Actions | Automated response actions |
Creating a Rule
- Write and test a KQL query in Advanced Hunting
- Save as detection rule with alert configuration
- Set run frequency and lookback period
- Configure response actions
- Enable the rule
Response Actions
- Isolate device — Network-isolate affected device
- Quarantine file — Quarantine detected malicious file
- Restrict app — Block app execution on device
- Run investigation — Start automated investigation
API Reference
GET /api/security/custom-detections— List detection rulesPOST /api/security/custom-detections— Create rulePUT /api/security/custom-detections/:id— Update rule
Last updated on