Forum Discussion
Tosty20
Jun 23, 2023Copper Contributor
Automating detection engineering for MS 365 Defender
I'm working at a MSSP managing multiple customers.
We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use for all our customer. However it is very labor intensive to manage all those detections.
I'm thinking of automating it so it is all manageable from one platform. But the MS documentation doesn't speak about API features to create edit and remove custom detections in MS 365. Is there anyway to automate this process?
- Christos_Ventouris
Microsoft
Stay tuned 🙂 There will be news on this specific area really soon 🙂 *wink* *wink*- kaloszerCopper Contributor
Is it time yet? There is a POST available to create Detection Rules, but the docs aren't really that great.
We've seem to have done a 1:1 conversion of existing DRs into POST requests and still more than 50% of them fail to deploy because of 'reasons unknown' as we get a 400 error code with no actual information on why they had failed.
It would really help if there was an 'export' button similar to sentinel, then we could actually see what we are doing wrong when re-creating them manually.- ruger999Copper Contributor
I agree docs could be better. Main source of our 400 errors was whitespace in the ATT&CK tactics. Note when creating rules over API, whitespace needs to be removed from the detectionAction.alertTemplate.category e.g. "Initial Access" -> "InitialAccess", "Lateral Movement" -> "LateralMovement" etc. To troubleshoot, write a problem detection in the web console and GET to review required JSON.
- DanijelGrahCopper ContributorIs there any news on this ?