Unified detection rule management

At the moment, unified custom detection rules in Defender XDR do not support bulk JSON import in the same way some legacy rule models did.

The new unified detection experience centralizes rule management across workloads, but it is primarily designed for rule creation and management through the Defender portal or via APIs — not direct JSON file import through the UI.

If you previously managed rules using JSON export/import to maintain version-controlled libraries across multiple tenants, that workflow is not yet natively available in the unified model.

However, there are a few architectural approaches you can consider:

1. Use the Defender XDR APIs
   Custom detections can be managed programmatically via Microsoft Graph Security APIs or Defender APIs. This allows you to:

• Store rules as JSON in source control
• Push updates programmatically
• Maintain release versioning across tenants

1. Infrastructure-as-Code style management
   Treat detection rules as code:

• Maintain rule definitions in Git
• Use automation (PowerShell, REST calls, CI/CD pipeline)
• Deploy updates per tenant in a controlled release cycle

1. Multi-tenant management via automation
   If you are operating across multiple tenants, consider using:

• Partner Center delegated access
• Service principals per tenant
• Centralized deployment scripts

Regarding your specific question — Microsoft has not publicly announced JSON import via UI for unified detections. The strategic direction appears to be API-driven management rather than manual file import.

For SOC-scale environments, API-based lifecycle management is likely the intended path forward.

It would be worth raising this in the Defender Tech Community as feature feedback, especially for MSSP and multi-tenant use cases where rule libraries require structured release governance.