Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

M365 Defender custom queries host in Azure Devops repo

Copper Contributor

Hello community!

I'm looking for possible solution to have custom detection rules host in Azure DevOps repo with possibility to push them directly into Defender - something like Community queries works (if it works like that). I tried to search across internet and MS documentation but haven't find anything like that. Is it even possible? Could you please guide me or point into some documentation/articles ?

Thanks in advance! 

4 Replies

     Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints.
*To create a custom detection rule, you need to prepare the query in the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. Then you need to provide alert details, choose the impacted entities, specify actions, set the rule scope, and review and turn on the rule.
* To manage custom detections, you need to be assigned one of these roles: Security settings (manage), Security administrator, or Security operator.
* Defender for DevOps allows you to manage your connected environments and provides your security teams with a high level overview of discovered issues that may exist within them through the Defender for DevOps console.

documentation and articles
- Create and manage custom detection rules in Microsoft 365 Defender. https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w....
- Microsoft Defender for DevOps - the benefits and features. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-devops-introduction.
- Create and manage custom detections rules - GitHub. https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender/cust....

Thanks but what you have posted here has actually nothing to do with my question :). I'm looking for more like "TH rules as code" approach, I'm fully aware how to create custom rule..
- Rules as Code’ will let computers apply laws and regulations. But. https://theconversation.com/rules-as-code-will-let-computers-apply-laws-and-regulations-but-over-rig....
- Four things you should know about Rules as Code. https://govinsider.asia/inclusive-gov/four-things-you-should-know-about-rules-as-code/.
- Cracking the Code: Rulemaking for humans and machines. https://oecd-opsi.org/publications/cracking-the-code/.

???? WHAT???! This is not even touching the topic.....