Forum Discussion

Tosty20's avatar
Tosty20
Copper Contributor
Jun 23, 2023

Automating detection engineering for MS 365 Defender

I'm working at a MSSP managing multiple customers.   We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use...
automation
microsoft defender for endpoint
kaloszer's avatar
kaloszer
Copper Contributor
Nov 08, 2024

Is it time yet? There is a POST available to create Detection Rules, but the docs aren't really that great.

We've seem to have done a 1:1 conversion of existing DRs into POST requests and still more than 50% of them fail to deploy because of 'reasons unknown' as we get a 400 error code with no actual information on why they had failed.

It would really help if there was an 'export' button similar to sentinel, then we could actually see what we are doing wrong when re-creating them manually.

ruger999's avatar
ruger999
Copper Contributor
Jan 04, 2025

I agree docs could be better. Main source of our 400 errors was whitespace in the ATT&CK tactics. Note when creating rules over API, whitespace needs to be removed from the detectionAction.alertTemplate.category e.g. "Initial Access" -> "InitialAccess", "Lateral Movement" -> "LateralMovement" etc. To troubleshoot, write a problem detection in the web console and GET to review required JSON.

  • kaloszer's avatar
    kaloszer
    Copper Contributor
    Jan 07, 2025

    Unfortunately in our case it's not the whitespace. It's on the backburner to try to figure out what goes wrong for those 40+ DRs that fail deployment.

    • ruger999's avatar
      ruger999
      Copper Contributor
      Jan 08, 2025

      Can you share 1 of the problem rules?

Resources