Blog Post

Microsoft Defender XDR Blog
3 MIN READ

Custom detections are now the unified experience for creating detections in Microsoft Defender

Noa_Nutkevitch's avatar
Noa_Nutkevitch
Icon for Microsoft rankMicrosoft
Oct 28, 2025

Co-author: Jeremy Tan

As we continue to deliver on our vision to simplify security workflows for the SOC, we are making custom detections the unified solution for building and managing rules over Defender XDR and Sentinel...
Updated Oct 28, 2025
Version 2.0
microsoft defender xdr
dino_santic's avatar
dino_santic
Copper Contributor
Oct 29, 2025

I have done some testing on creating custom detection rules in Defender XDR using both XDR data and using Sentinel analytics data. From my understanding it works fine to include Sentinel analytics data as part of a custom detection rule in XDR, as long as the detection rule includes result from at least one Defender XDR table. However, creating a custom detection rule in XDR using only Sentinel data does not work

 

The reason is that a custom detection in XDR requires a valid value for ReportId in combination with Timestamp to find the event in question, and in Sentinel data tables the ReportId field does not exist. Custom detection rules in XDR require ReportId to be projected, and although it is possible to e.g. set ReportId to blank, this will work fine when running the query in advanced hunting, but fail when the custom detection rule in XDR is supposed to trigger. Meaning the rule runs successfully when there is no results in the result set, but as soon as there are results then it will fail. Further, selecting a ReportId and Timestamp from a random XDR event can work, but then the detection rule will show the data from that specific event, not the query result. The query result in that case is just joined with that event, which becomes very confusing for an analyst and thus can't be used for detection.

 

So either there is a workaround here for ReportId field when using Sentinel analytics data (as ReportId doesn't exist in Sentinel analytics data such as SigninLogs), or it is not possible to create a custom detection rule in Defender XDR using only data from Sentinel analytics tables? If the latter is the case, then this blog post and the reference in the first question under FAQ is a bit misleading.

My observations are supported by this Microsoft article: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-microsoft-defender
, which state the following as a known limitation in Defender XDR Custom Detection rules: "Custom detections aren't available for KQL queries that don't include Defender XDR data.

Noa_Nutkevitch's avatar
Noa_Nutkevitch
Icon for Microsoft rankMicrosoft
Oct 29, 2025

Hello!

Custom detections support Sentinel only data (this is a new enhancement). No need for XDR data anymore. When XDR data is not involved - we don't require report id and other required columns. The documentation should be updated - thanks for letting us know! will work to update it ASAP.

If you still experience issues with creating custom detections on Sentinel only data - please open a support ticket and we will make sure to address soon.