Forum Discussion

Tosty20's avatar
Tosty20
Copper Contributor
Jun 23, 2023

Automating detection engineering for MS 365 Defender

I'm working at a MSSP managing multiple customers.   We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use...
automation
microsoft defender for endpoint
Christos_Ventouris's avatar
Christos_Ventouris
Icon for Microsoft rankMicrosoft
Jul 01, 2023
Stay tuned 🙂 There will be news on this specific area really soon 🙂 *wink* *wink*
  • kaloszer's avatar
    kaloszer
    Copper Contributor
    Nov 08, 2024

    Is it time yet? There is a POST available to create Detection Rules, but the docs aren't really that great.

    We've seem to have done a 1:1 conversion of existing DRs into POST requests and still more than 50% of them fail to deploy because of 'reasons unknown' as we get a 400 error code with no actual information on why they had failed.

    It would really help if there was an 'export' button similar to sentinel, then we could actually see what we are doing wrong when re-creating them manually.

    • ruger999's avatar
      ruger999
      Copper Contributor
      Jan 04, 2025

      I agree docs could be better. Main source of our 400 errors was whitespace in the ATT&CK tactics. Note when creating rules over API, whitespace needs to be removed from the detectionAction.alertTemplate.category e.g. "Initial Access" -> "InitialAccess", "Lateral Movement" -> "LateralMovement" etc. To troubleshoot, write a problem detection in the web console and GET to review required JSON.

      • kaloszer's avatar
        kaloszer
        Copper Contributor
        Jan 07, 2025

        Unfortunately in our case it's not the whitespace. It's on the backburner to try to figure out what goes wrong for those 40+ DRs that fail deployment.

  • DanijelGrah's avatar
    DanijelGrah
    Copper Contributor
    Nov 07, 2023
    Is there any news on this ?

Resources