Forum Discussion
Solved
Add Custom Detections via api?
Is it possible to add our own Custom Detections, either Sigma Rules or indicators from MISP via the api? Thank you! Also, is this the best place to ask questions and learn? Is there a sla...
- Yes - https://github.com/microsoftgraph/security-api-solutions/blob/master/Samples/MISP/README.md
Some warnings:
It probably won't work out of the box.
You'll need to take from what you see here and modify/make your own.
Sigma used to have a converter function for Endpoint , but like the script above, has fallen out of date. You could write your own converter though.
You are correct, no native way to do it.
Thinking outside the box - Perhaps you could pull audit logs from all created custom detections?
Many audit logs include the changed state (the new detection being added). If this is also the case with custom detections, theoretically, you could just export to a csv. Might be worth exploring.
Thinking outside the box - Perhaps you could pull audit logs from all created custom detections?
Many audit logs include the changed state (the new detection being added). If this is also the case with custom detections, theoretically, you could just export to a csv. Might be worth exploring.
I'll check and see. Ugh, thats not good.
What about getting the Defender tables into Sentinel and setting the alerts there? Can't I work with the Custom Detections through the api there?
Thank you for all your answers with this!