Blog Post

Microsoft Defender XDR Blog
3 MIN READ

Custom detections are now the unified experience for creating detections in Microsoft Defender

Noa_Nutkevitch's avatar
Noa_Nutkevitch
Icon for Microsoft rankMicrosoft
Oct 28, 2025

Co-author: Jeremy Tan

As we continue to deliver on our vision to simplify security workflows for the SOC, we are making custom detections the unified solution for building and managing rules over Defender XDR and Sentinel data. While analytics rules remain available, we recommend using custom detections for access to new features and enhancements.

Benefits of unified custom detections

Adopting custom detections as the primary method for rule management helps streamline operations and enhance security. You can refer to this page for a full list of the benefits.

Some highlights include:

  • Single experience – One interface for managing detections across all data sources, and the ability to create rules across SIEM and XDR without additional ingestion costs.
  • Cost reduction – Write a detection combining XDR and Sentinel data without extra Sentinel ingestion costs.
  • Faster detection – Near real-time streaming technology. Custom detection reduces Kusto cluster load and allows unlimited number of NRT rules.
  • Built-in XDR functions – Expand functionality previously only available in XDR to use in SIEM detections, such as FileProfile(), SeenBy(), DeviceFromIP() and AssignedIPAddresses().
  • Native XDR remediation actions – Native XDR remediation actions are available to be configured to automatically run when a custom detection fires.

The new experience for unified rules management

Custom detection is the default wizard when creating a detection from advanced hunting. If your use case still requires using an analytics rule, you can click on the “create analytics rule” button from the custom detection wizard.

 

 

FAQs

Q: Should I stop using analytics rules?

A: While we continue to build out custom detections as the primary engine for rule creation across SIEM and XDR, analytics rules may still be required in some use cases. You are encouraged to use the comparison table in our public documentation to decide if analytics rules is needed for a specific use case. No immediate action is necessary for moving existing analytics rules to detection rules.

Q: Are any immediate actions required?

A: No action is currently necessary. Custom detections should be used when suitable for a scenario, as we will continue to invest in new capabilities for this feature.

Q: Will custom detections have feature parity with Analytics Rules?
A: Yes, we are working toward parity.

Learn more about adopting custom detections

Please refer to our public documentation for a detailed and updated comparison.

What's next? 

Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners

Featured sessions

  • BRK237: Identity Under Siege: Modern ITDR from Microsoft
    Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric.
  • BRK240 – Endpoint security in the AI era: What's new in Defender
    Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster.
  • BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts
    See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos.
  • LAB541 – Defend against threats with Microsoft Defender
    Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation.

Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity.

Why attend?
Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense.

Security Forum—Make day 0 count (November 17)
Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration.

Register for Microsoft Ignite >

Updated Oct 28, 2025
Version 2.0
microsoft defender xdr

4 Comments

  • dino_santic's avatar
    dino_santic
    Occasional Reader
    Oct 29, 2025

    I have done some testing on creating custom detection rules in Defender XDR using both XDR data and using Sentinel analytics data. From my understanding it works fine to include Sentinel analytics data as part of a custom detection rule in XDR, as long as the detection rule includes result from at least one Defender XDR table. However, creating a custom detection rule in XDR using only Sentinel data does not work

     

    The reason is that a custom detection in XDR requires a valid value for ReportId in combination with Timestamp to find the event in question, and in Sentinel data tables the ReportId field does not exist. Custom detection rules in XDR require ReportId to be projected, and although it is possible to e.g. set ReportId to blank, this will work fine when running the query in advanced hunting, but fail when the custom detection rule in XDR is supposed to trigger. Meaning the rule runs successfully when there is no results in the result set, but as soon as there are results then it will fail. Further, selecting a ReportId and Timestamp from a random XDR event can work, but then the detection rule will show the data from that specific event, not the query result. The query result in that case is just joined with that event, which becomes very confusing for an analyst and thus can't be used for detection.

     

    So either there is a workaround here for ReportId field when using Sentinel analytics data (as ReportId doesn't exist in Sentinel analytics data such as SigninLogs), or it is not possible to create a custom detection rule in Defender XDR using only data from Sentinel analytics tables? If the latter is the case, then this blog post and the reference in the first question under FAQ is a bit misleading.

    My observations are supported by this Microsoft article: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-microsoft-defender
    , which state the following as a known limitation in Defender XDR Custom Detection rules: "Custom detections aren't available for KQL queries that don't include Defender XDR data.

    • Noa_Nutkevitch's avatar
      Noa_Nutkevitch
      Icon for Microsoft rankMicrosoft
      Oct 29, 2025

      Hello!

      Custom detections support Sentinel only data (this is a new enhancement). No need for XDR data anymore. When XDR data is not involved - we don't require report id and other required columns. The documentation should be updated - thanks for letting us know! will work to update it ASAP.

      If you still experience issues with creating custom detections on Sentinel only data - please open a support ticket and we will make sure to address soon. 

  • john66571's avatar
    john66571
    Iron Contributor
    Oct 28, 2025

    This is great, love to see!!! :)


    Reading up on the planned parity:
    https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections#compare-analytics-rules-and-custom-detections-features

    1. Can we assume that in the future, the custom detection or analytic rule will be able to search in the XDR data for free (such as all defender for endpoint tables) instead of having to ship it to sentinel?

    2. What about MSSP that have connected DevOps or Github repos to customers Sentinel and deploys Analytic rules (and other items) through it.
    The image makes me belive we will be able to deploy custom detections through those channels (i assume they will have same json structure as current analytic rules in devops). But where will the actual resource end up, in the Sentinel (in azure) or will sentinel funnel them over to XDR portal when using those repositories? (it can be important as we now have to manage items in 2 places and limits on amount are diffrent etc).
    (on that note, the eu.prod.dps.sentinel.azure.com endpoint died a few months back so the status of such repository connections are not updating, all of them are showing gray status).

    3. Edit: And will we need to re-approve current repository setups or will it be able to use current setups and Microsofts supplied script/yaml ? Or will we have to reapprove for a new type "custom detections" (along side the old analytic rules, workbooks, etc)

    • Noa_Nutkevitch's avatar
      Noa_Nutkevitch
      Icon for Microsoft rankMicrosoft
      Oct 29, 2025

      1. Yes - today you can use custom detections to search in all XDR tables and even join them with data you have in Sentinel - without shipping the XDR data to Sentinel! This was written in the highlights section in the blog (I assume this was not clear?): 

      • Cost reduction – Write a detection combining XDR and Sentinel data without extra Sentinel ingestion costs.

      2+ 3. Sentinel repositories will indeed support custom detections, that will be deployed to your Defender tenant (and not to azure). We can't commit yet to the specific details as JSON structure and setup process. We will publish detailed documentation when the feature is ready and available to use :)