Add Custom Detections via api?

Brass Contributor

Is it possible to add our own Custom Detections, either Sigma Rules or indicators from MISP via the api?  


Thank you! 


Also, is this the best place to ask questions and learn?  Is there a slack channel, discord chat? 

6 Replies
best response confirmed by mathurin68 (Brass Contributor)
Yes -
Some warnings:
It probably won't work out of the box.
You'll need to take from what you see here and modify/make your own.

Sigma used to have a converter function for Endpoint , but like the script above, has fallen out of date. You could write your own converter though.
Thank you for this! FINALLY getting back to this! Will this do Custom Detections? I don't mean the indicators like a file hash, I mean full blown KQL detections with priorities, Mitre information all that for Defender for Endpoint.

@mathurin68 To point you in the right direction, I’d need to know more about your use-case.


Do you want to -

Create and update custom signatures, such as static IPs, URLS, Certificates and file hashes:

Best for a tenant-level block list or where you wish to block, allow or quarantine an entity you’ve discovered through investigation.


Create and update custom detection rules, which run every hour, day or week (runs against the data from the prior period):

Best for keeping track of entities or actions, but not good for ensuring a threat is blocked in real-time.


Query the advanced security API:

This option is best when you would create your own queries, schedules, and rules. Dev responsibility falls entirely on your plate here.

You’ll need to be able to:

Create and secure a custom Multi-tenant or single tenant app registered in Azure with permissions to read and interact with the Microsoft security API.


Securely create and access client authentication secrets or certificates (preferred) to engage with the API.

Securely create, update and access a list of your own rules and signatures. This can be a secondary database or (but not limited to)a routinely updated GitHub page like many block lists available today. 

My recommendation is to not expose MISP directly to the services querying the security API. There should be isolation between the two.

This is most effective where initial discovery queries can interact with the custom signature list and make additional calls for triggering investigations and quarantining entities where (matches of detection rules) results are found. 

Forgive any typos, on the go.



@Jonathan Green 

Hey Jonathan! I'm talking about KQL queries we've turned into Custom Detections.  There doesn't seem to be a way to get to them in the api for Defender for Endpoint.  Just being able to download them would be a huge help.  I hope I'm wrong but there doesn't seem to be a way to do it.  We are GCC by the way. 

You are correct, no native way to do it.
Thinking outside the box - Perhaps you could pull audit logs from all created custom detections?
Many audit logs include the changed state (the new detection being added). If this is also the case with custom detections, theoretically, you could just export to a csv. Might be worth exploring.

@Jonathan Green 

I'll check and see. Ugh, thats not good.  


What about getting the Defender tables into Sentinel and setting the alerts there?  Can't I work with the Custom Detections through the api there?


Thank you for all your answers with this!