Jul 11 2023 12:44 AM
Hello community!
I'm looking for possible solution to have custom detection rules host in Azure DevOps repo with possibility to push them directly into Defender - something like Community queries works (if it works like that). I tried to search across internet and MS documentation but haven't find anything like that. Is it even possible? Could you please guide me or point into some documentation/articles ?
Thanks in advance!
Jul 11 2023 01:19 AM - edited Jul 11 2023 01:21 AM
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints.
*To create a custom detection rule, you need to prepare the query in the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. Then you need to provide alert details, choose the impacted entities, specify actions, set the rule scope, and review and turn on the rule.
* To manage custom detections, you need to be assigned one of these roles: Security settings (manage), Security administrator, or Security operator.
* Defender for DevOps allows you to manage your connected environments and provides your security teams with a high level overview of discovered issues that may exist within them through the Defender for DevOps console.
documentation and articles
- Create and manage custom detection rules in Microsoft 365 Defender. https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w....
- Microsoft Defender for DevOps - the benefits and features. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-devops-introduction.
- Create and manage custom detections rules - GitHub. https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender/cust....
Jul 11 2023 01:24 AM
Jul 11 2023 01:40 AM
Jul 11 2023 01:44 AM - edited Jul 11 2023 01:44 AM
???? WHAT???! This is not even touching the topic.....