Blog Post

Microsoft Defender XDR Blog
3 MIN READ

Custom detections are now the unified experience for creating detections in Microsoft Defender

Noa_Nutkevitch's avatar
Noa_Nutkevitch
Icon for Microsoft rankMicrosoft
Oct 28, 2025

Co-author: Jeremy Tan

As we continue to deliver on our vision to simplify security workflows for the SOC, we are making custom detections the unified solution for building and managing rules over Defender XDR and Sentinel data. While analytics rules remain available, we recommend using custom detections for access to new features and enhancements.

Benefits of unified custom detections

Adopting custom detections as the primary method for rule management helps streamline operations and enhance security. You can refer to this page for a full list of the benefits.

Some highlights include:

  • Single experience – One interface for managing detections across all data sources, and the ability to create rules across SIEM and XDR without additional ingestion costs.
  • Cost reduction – Write a detection combining XDR and Sentinel data without extra Sentinel ingestion costs.
  • Faster detection – Near real-time streaming technology. Custom detection reduces Kusto cluster load and allows unlimited number of NRT rules.
  • Built-in XDR functions – Expand functionality previously only available in XDR to use in SIEM detections, such as FileProfile(), SeenBy(), DeviceFromIP() and AssignedIPAddresses().
  • Native XDR remediation actions – Native XDR remediation actions are available to be configured to automatically run when a custom detection fires.

The new experience for unified rules management

Custom detection is the default wizard when creating a detection from advanced hunting. If your use case still requires using an analytics rule, you can click on the “create analytics rule” button from the custom detection wizard.

 

 

FAQs

Q: Should I stop using analytics rules?

A: While we continue to build out custom detections as the primary engine for rule creation across SIEM and XDR, analytics rules may still be required in some use cases. You are encouraged to use the comparison table in our public documentation to decide if analytics rules is needed for a specific use case. No immediate action is necessary for moving existing analytics rules to detection rules.

Q: Are any immediate actions required?

A: No action is currently necessary. Custom detections should be used when suitable for a scenario, as we will continue to invest in new capabilities for this feature.

Q: Will custom detections have feature parity with Analytics Rules?
A: Yes, we are working toward parity.

Learn more about adopting custom detections

Please refer to our public documentation for a detailed and updated comparison.

What's next? 

Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners

Featured sessions

  • BRK237: Identity Under Siege: Modern ITDR from Microsoft
    Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric.
  • BRK240 – Endpoint security in the AI era: What's new in Defender
    Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster.
  • BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts
    See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos.
  • LAB541 – Defend against threats with Microsoft Defender
    Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation.

Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity.

Why attend?
Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense.

Security Forum—Make day 0 count (November 17)
Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration.

Register for Microsoft Ignite >

Updated Oct 28, 2025
Version 2.0
microsoft defender xdr

1 Comment

  • john66571's avatar
    john66571
    Iron Contributor
    Oct 28, 2025

    This is great, love to see!!! :)


    Reading up on the planned parity:
    https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections#compare-analytics-rules-and-custom-detections-features

    1. Can we assume that in the future, the custom detection or analytic rule will be able to search in the XDR data for free (such as all defender for endpoint tables) instead of having to ship it to sentinel?

    2. What about MSSP that have connected DevOps or Github repos to customers Sentinel and deploys Analytic rules (and other items) through it.
    The image makes me belive we will be able to deploy custom detections through those channels (i assume they will have same json structure as current analytic rules in devops). But where will the actual resource end up, in the Sentinel (in azure) or will sentinel funnel them over to XDR portal when using those repositories? (it can be important as we now have to manage items in 2 places and limits on amount are diffrent etc).
    (on that note, the eu.prod.dps.sentinel.azure.com endpoint died a few months back so the status of such repository connections are not updating, all of them are showing gray status).

    3. Edit: And will we need to re-approve current repository setups or will it be able to use current setups and Microsofts supplied script/yaml ? Or will we have to reapprove for a new type "custom detections" (along side the old analytic rules, workbooks, etc)