Forum Discussion

Zivosh's avatar
Zivosh
Copper Contributor
Nov 05, 2025

Unified detection rule management

Hi,
I attended the webinar yesterday regarding the new unified custom detection rules in Defender XDR. I was wondering about the management of a library of rules.

As with any SOC, our solution has a library of custom rules which we manage in a release cycle for a number of clients in different Tenants. To avoid having to manage rules individually we use the JSON approach, importing the library so it will update rules that we need to tune.

Currently I'm not seeing an option to import unified detection rules in Defender XDR via JSON. Is that a feature that will be added?

 

Thanks
Ziv

 

microsoft 365 defender
microsoft sentinel

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Feb 06, 2026

    At the moment, unified custom detection rules in Defender XDR do not support bulk JSON import in the same way some legacy rule models did.

    The new unified detection experience centralizes rule management across workloads, but it is primarily designed for rule creation and management through the Defender portal or via APIs — not direct JSON file import through the UI.

    If you previously managed rules using JSON export/import to maintain version-controlled libraries across multiple tenants, that workflow is not yet natively available in the unified model.

    However, there are a few architectural approaches you can consider:

    1. Use the Defender XDR APIs
      Custom detections can be managed programmatically via Microsoft Graph Security APIs or Defender APIs. This allows you to:
    • Store rules as JSON in source control
    • Push updates programmatically
    • Maintain release versioning across tenants
    1. Infrastructure-as-Code style management
      Treat detection rules as code:
    • Maintain rule definitions in Git
    • Use automation (PowerShell, REST calls, CI/CD pipeline)
    • Deploy updates per tenant in a controlled release cycle
    1. Multi-tenant management via automation
      If you are operating across multiple tenants, consider using:
    • Partner Center delegated access
    • Service principals per tenant
    • Centralized deployment scripts

    Regarding your specific question — Microsoft has not publicly announced JSON import via UI for unified detections. The strategic direction appears to be API-driven management rather than manual file import.

    For SOC-scale environments, API-based lifecycle management is likely the intended path forward.

    It would be worth raising this in the Defender Tech Community as feature feedback, especially for MSSP and multi-tenant use cases where rule libraries require structured release governance.

     

Resources