This chapter covers custom detection rules in Microsoft Defender XDR, a critical skill for the SC-200 exam. Custom detection rules allow you to define your own threat detection logic using Kusto Query Language (KQL), extending beyond built-in detections. Approximately 15-20% of exam questions touch on custom detection rules, including writing KQL queries, configuring alert settings, and managing rules in the Microsoft 365 Defender portal. Mastering this topic is essential for automating incident response and tailoring detections to your environment.
Jump to a section
Imagine a large office building with a security guard at the front desk. The guard has a standard rulebook: check ID, log visitors, and call the contact person. But the building manager wants additional security: if someone enters with a red badge after 6 PM, the guard must immediately call the manager. To implement this, the manager writes a custom script for the guard: 'If time > 18:00 and badge color = red, then call manager (including badge number and timestamp).' The guard follows this script exactly as written. If the script says 'call manager' but doesn't specify how long to wait for a response, the guard might wait indefinitely or hang up after 30 seconds—depending on the script's details. Similarly, in Microsoft Defender XDR, custom detection rules are Kusto Query Language (KQL) scripts that define conditions and actions. The detection engine runs these scripts against security data, and if the condition matches, it triggers an alert or automated response. The rules can be tuned with thresholds, time windows, and suppression logic, just like the guard's script can specify 'call manager within 5 seconds, and if no answer, send an email.' The guard doesn't think—he just executes. The detection engine doesn't interpret—it matches patterns exactly.
What Are Custom Detection Rules and Why Do They Exist?
Custom detection rules in Microsoft Defender XDR are user-defined KQL queries that run periodically against security data from across the Microsoft 365 ecosystem. They exist because built-in detections cannot cover every organization's unique threat landscape—specific software, custom applications, or internal policies require tailored detection logic. For example, you might want to detect when a non-admin user creates a new Azure AD role assignment, which is not covered by default rules.
How Custom Detection Rules Work Internally
Each custom detection rule is essentially a scheduled query. The Microsoft 365 Defender backend uses a scheduler to run these queries at defined intervals (every 1, 6, 12, or 24 hours). The query executes against the Advanced Hunting schema, which includes tables like DeviceProcessEvents, EmailEvents, IdentityLogonEvents, and AlertInfo. When the query returns results (i.e., rows of data), the detection engine evaluates whether the number of results exceeds a specified threshold. If it does, an alert is generated, and optionally, an automated action (playbook) can be triggered.
Step-by-Step Mechanism
Rule Creation: An analyst writes a KQL query in the Microsoft 365 Defender portal under Hunting > Custom detection rules. The query must return a table with columns that map to alert properties (e.g., Timestamp, AlertTitle, Severity, Category, EntityType, EntityId).
Scheduling: The rule runs at the chosen frequency. The scheduler uses a cron-like mechanism (though not directly exposed). For example, a 1-hour frequency runs at minute 0 of each hour. The query looks back over a time window equal to the frequency (e.g., last 1 hour for hourly rules) plus an additional 5-minute delay to account for data ingestion latency.
Query Execution: The KQL query is executed against the Advanced Hunting tables. The query must be performant—Microsoft imposes a 10-minute timeout and a 100,000 rows return limit. If the query exceeds these limits, it may be skipped or truncated.
Alert Generation: If the query returns at least one row (or more than a specified threshold), an alert is created. The alert severity is determined by a field in the query result (Severity column) or a default value. The alert is then visible in the Incidents queue.
Suppression: If the same rule fires repeatedly for the same entity (e.g., same user or device), suppression logic prevents alert fatigue. The rule can be configured to suppress alerts for a specified duration after an alert is generated (default 1 hour, max 24 hours).
Key Components, Values, Defaults, and Timers
Frequency: 1h, 6h, 12h, 24h. Default is 24h.
Alert threshold: Minimum number of results to trigger an alert. Default is 1.
Suppression duration: Time to suppress alerts for the same entity. Default is 1 hour.
Query timeout: 10 minutes (hard limit).
Max results: 100,000 rows (if exceeded, query may fail).
Data retention: Advanced Hunting data retention varies by table (30 days for most). Custom detection rules only query data within the retention window.
Alert severity: Can be Informational, Low, Medium, High, or Critical. Mapped from the Severity column in the query result. If not provided, defaults to Medium.
Alert category: Mapped from the Category column. Examples: Malware, SuspiciousActivity, UnwantedSoftware.
Required columns: Timestamp, AlertTitle, Severity, Category, Recommendation, EntityType, EntityId, EntityName, EntityRole, EntitySubType. If any of these are missing, the rule may fail or produce incomplete alerts.
Configuration and Verification Commands
To create a custom detection rule: 1. Navigate to Microsoft 365 Defender > Hunting > Custom detection rules. 2. Click + Create. 3. Provide a name and description. 4. Write the KQL query in the editor. Example:
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "powershell.exe" and ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, AlertTitle="Suspicious PowerShell", Severity="High", Category="Malware", Recommendation="Investigate this device", EntityType="Machine", EntityId=DeviceId, EntityName=DeviceName, EntityRole="", EntitySubType=""Set frequency, threshold, suppression, and alert settings.
Test the query using the Test button to see sample results.
Save and enable the rule.
To verify the rule is running: Check the Custom detection rules page—the rule status should show Active. You can also use Advanced Hunting to query AlertInfo for alerts generated by your rule:
AlertInfo
| where Title contains "YourRuleName"How Custom Detection Rules Interact with Related Technologies
Custom detection rules integrate with: - Advanced Hunting: The underlying data source. The query language is KQL, and the schema is identical to Advanced Hunting. - Incidents and Alerts: Alerts generated by custom rules appear in the Incidents queue, linked to entities (users, devices). They can be triaged and managed like built-in alerts. - Automated Investigation and Response (AIR): Custom rules can trigger automated playbooks (e.g., isolate a device, disable a user account). This is configured in the rule's Actions tab. - Microsoft Sentinel: Custom detection rules can be exported to Sentinel as analytics rules, though the KQL syntax may need adjustment. - Microsoft Graph Security API: Alerts from custom rules are accessible via the API for integration with SIEMs.
Performance Considerations
Query efficiency: Poorly written KQL can slow down the entire detection engine. Avoid cross-cluster queries and large join operations without time filters.
Data volume: Rules that query high-volume tables (e.g., DeviceNetworkEvents) without filtering can hit the 100,000-row limit.
Frequency trade-off: More frequent rules catch threats faster but consume more resources. Use 1-hour frequency only for critical detections.
Common Pitfalls
Missing required columns: The alert will not be created. Always include Timestamp, AlertTitle, Severity, Category, EntityType, EntityId.
Incorrect severity mapping: Use numeric values? No, severity must be a string: "Informational", "Low", "Medium", "High", "Critical".
Suppression misconfiguration: If suppression is too long, you may miss repeated attacks. If too short, alert fatigue.
Threshold set to 0: The rule will never fire because threshold must be >=1.
Exam-First Structure
The SC-200 exam expects you to:
Understand the purpose and capabilities of custom detection rules.
Know the required columns for alert creation.
Interpret KQL queries used in custom detection rules.
Troubleshoot rules that are not generating alerts.
Differentiate custom detection rules from built-in detections and Microsoft Sentinel analytics rules.
Trap Patterns
Question: "Which column is required for a custom detection rule to generate an alert?" Wrong answer: AlertId (not required—AlertTitle is). Correct: Timestamp.
Question: "What is the default suppression duration?" Wrong answer: 24 hours. Correct: 1 hour.
Question: "Can custom detection rules trigger automated actions?" Wrong answer: No, only alerts. Correct: Yes, via playbooks.
Edge Cases the Exam Loves
Rule fails due to query timeout: The exam may ask what happens—alert is not generated, and a failure is logged. You can view failures in the rule's history.
Data not yet ingested: If the query runs immediately after a data source is added, it may return no results. The rule will still run, but no alert. The exam may test that you need to wait for data.
Multiple entities in one alert: If the query returns multiple rows with different entities, a single alert is created with multiple entities. The exam might ask about alert grouping.
How to Eliminate Wrong Answers
If the question mentions "custom detection rule" and "threshold", remember default is 1.
If the question asks about frequency, know that 1 hour is the minimum.
If the question asks about suppression, think of it as per-entity suppression, not global.
If the question asks about KQL, look for the required columns pattern.
Define the Detection Objective
Identify the specific threat scenario you want to detect. For example, 'Detect when a non-admin user creates a new Azure AD role assignment.' This objective drives the KQL query logic. Consider the data sources available (e.g., CloudAppEvents, IdentityDirectoryEvents). Define the entities involved (user, device, IP) and the time window. The objective must be precise enough to avoid false positives—e.g., exclude known admin accounts. This step is crucial because a vague objective leads to a noisy rule.
Write the KQL Query
Open the Microsoft 365 Defender portal, go to Hunting > Advanced Hunting, and write a query that returns the desired events. For the example, use CloudAppEvents and filter for 'Add member to role' activity. The query must include the required alert columns: Timestamp, AlertTitle, Severity, Category, Recommendation, EntityType, EntityId, EntityName, EntityRole, EntitySubType. Test the query to ensure it returns expected results. Use the 'ago()' function to limit time range. For a 1-hour frequency, use 'Timestamp > ago(1h)'. Ensure the query completes within 10 minutes and returns fewer than 100,000 rows.
Configure Rule Settings
In the custom detection rule creation wizard, set the rule name, description, and severity mapping. Choose the frequency (e.g., every 1 hour). Set the alert threshold—default is 1, meaning any result triggers an alert. Configure suppression duration to prevent repeated alerts for the same entity (default 1 hour). Optionally, select automated actions like running a playbook (e.g., disable the user account). Under 'Actions', you can link to a Microsoft Sentinel playbook or a Power Automate flow. Ensure the rule is enabled after creation.
Test the Rule
Use the 'Test' button in the rule editor to execute the query against historical data. The test will show sample results and any errors. Verify that the required columns are present and correctly formatted. Check that the alert title and severity are as expected. If the test returns no results, adjust the query or time range. Testing is critical because a rule that fails to generate alerts due to a syntax error will not be detected until you check the rule history.
Monitor and Tune the Rule
After enabling the rule, monitor the Microsoft 365 Defender Alerts queue for generated alerts. Use Advanced Hunting to query AlertInfo for alerts from your rule. If false positives occur, adjust the query to add more filters (e.g., exclude specific IPs). If the rule misses true positives, broaden the query or reduce the threshold. Check the rule's history for failures (e.g., query timeout, missing columns). You can also export the rule to Microsoft Sentinel for advanced tuning with fusion and anomaly detection.
Enterprise Scenario 1: Detecting Suspicious PowerShell Usage
A large financial institution wants to detect when any employee runs PowerShell with an encoded command, which is a common technique for malware execution. The SOC team creates a custom detection rule using DeviceProcessEvents. The query filters for FileName == "powershell.exe" and ProcessCommandLine contains "-EncodedCommand". The rule is set to run every 1 hour with a threshold of 1. Suppression is set to 1 hour to avoid duplicate alerts for the same device. In production, this rule generates about 50 alerts per day, but many are false positives from IT admins. The team tunes the query by excluding certain admin accounts using a join with IdentityInfo. The rule is integrated with a playbook that automatically isolates the device if the alert severity is High. Performance is manageable because the query uses a time filter and an indexed column (FileName).
Enterprise Scenario 2: Detecting Privileged Role Assignments
A government agency needs to detect when a non-admin user adds a member to the Global Administrator role in Azure AD. The SOC creates a custom detection rule using CloudAppEvents. The query filters for ActivityType == "Add member to role" and targets the Global Administrator role. The rule runs every 6 hours (since role changes are less frequent). The threshold is 1, but suppression is set to 24 hours to avoid alerting on the same change multiple times. In production, this rule catches a malicious insider who added a backdoor account. The rule is configured to trigger a playbook that disables the new admin account and sends an email to the SOC. One challenge is that the query must exclude legitimate changes made by authorized admins—this is done by joining with a custom table of approved admin accounts.
Common Misconfigurations
Query returns too many rows: A rule that queries DeviceNetworkEvents without filtering can hit the 100,000-row limit, causing the rule to fail. Mitigation: add filters like Protocol or LocalIP.
Incorrect time range: Using ago(7d) for a 1-hour frequency will re-query the same data repeatedly, wasting resources. Always match the time range to the frequency.
Missing required columns: The alert will not be created, but the rule may still run. The failure is logged but easy to miss. Always test the query with the required columns.
Scale and Performance
Custom detection rules are designed for moderate scale. An organization with 10,000 devices running 20 custom rules at 1-hour frequency will have 20 queries per hour, each scanning the last hour's data. This is well within Microsoft's backend capacity. However, if you have 200 rules at 1-hour frequency, you may experience throttling. Microsoft recommends using Microsoft Sentinel for high-volume or complex detections.
What SC-200 Tests on This Topic (Objective 1.1)
The SC-200 exam objective 1.1 is 'Design and configure Microsoft Defender XDR detections and alerts.' Custom detection rules are a core component. The exam tests your ability to:
Create and manage custom detection rules.
Write KQL queries that generate alerts with required columns.
Troubleshoot rules that fail to generate alerts.
Understand the relationship between custom detection rules and Advanced Hunting.
Configure alert suppression and thresholds.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong Answer: 'Custom detection rules can only be created in Microsoft Sentinel.' Why chosen: Candidates confuse Defender XDR with Sentinel. Reality: Custom detection rules are native to Defender XDR.
2. Wrong Answer: 'The default suppression duration is 24 hours.' Why chosen: Many assume a day is standard. Reality: It's 1 hour.
3. Wrong Answer: 'The query must return a single row to trigger an alert.' Why chosen: Misunderstanding of threshold. Reality: Threshold is configurable, default is 1.
4. Wrong Answer: 'Custom detection rules cannot trigger automated actions.' Why chosen: They think only built-in rules can. Reality: You can attach playbooks.
Specific Numbers and Terms That Appear on the Exam
Frequency options: 1h, 6h, 12h, 24h (know them all).
Required columns: Timestamp, AlertTitle, Severity, Category, EntityType, EntityId (especially these six).
Default threshold: 1.
Default suppression: 1 hour.
Query timeout: 10 minutes.
Max results: 100,000 rows.
Severity values: Informational, Low, Medium, High, Critical.
Edge Cases and Exceptions
What if the query returns no rows? No alert is generated. The rule still runs successfully.
What if the query returns rows but missing required columns? The alert is not created, and an error is logged.
What if the rule fails due to timeout? The rule is marked as failed in the history, and no alert is generated. You can view the failure details.
Can you have multiple custom detection rules with the same name? No, names must be unique.
Can you edit a rule after creation? Yes, but changes take effect on the next scheduled run.
How to Eliminate Wrong Answers
If a question mentions 'custom detection rule' and 'automated response', look for 'playbook' or 'action' in the answer.
If a question asks about 'required columns', eliminate any answer that doesn't include Timestamp and AlertTitle.
If a question asks about 'frequency', remember that 1 hour is the shortest, 24 hours is the longest.
If a question asks about 'suppression', think of it as per-entity, not per-rule.
If a question asks about 'threshold', default is 1, but it can be higher.
Exam Tip
When you see a KQL query in an exam question, check if the required columns are projected. If not, that is likely the reason the rule fails. Also, look for Severity being set to a numeric value—that is incorrect; it must be a string.
Custom detection rules are scheduled KQL queries that generate alerts when results exceed a threshold.
Required columns for alert generation: Timestamp, AlertTitle, Severity, Category, EntityType, EntityId.
Default frequency is 24 hours; minimum is 1 hour.
Default alert threshold is 1; suppression duration default is 1 hour.
Query timeout is 10 minutes; max results returned is 100,000 rows.
Rules can trigger automated playbooks (actions).
Severity must be a string: Informational, Low, Medium, High, Critical.
Suppression is per entity, not per rule.
Rules are not real-time; there is always a delay equal to the frequency.
Check rule history for failures; no automatic email notification.
These come up on the exam all the time. Here's how to tell them apart.
Custom Detection Rules (Defender XDR)
Native to Microsoft 365 Defender portal.
Uses Advanced Hunting schema (KQL).
Scheduled frequencies: 1h, 6h, 12h, 24h.
Alert severity mapped from query result.
Limited to Defender XDR data sources.
Analytics Rules (Microsoft Sentinel)
Part of Microsoft Sentinel (Azure portal).
Uses Log Analytics workspace schema (KQL).
Scheduled frequencies: every 5 min to 14 days.
Alert severity configured in rule settings.
Can ingest data from multiple sources (firewalls, syslog, etc.).
Mistake
Custom detection rules can only use data from Microsoft Defender for Endpoint.
Correct
They can query any table in the Advanced Hunting schema, including EmailEvents, IdentityLogonEvents, CloudAppEvents, and more.
Mistake
The suppression duration applies to the entire rule, not per entity.
Correct
Suppression is per entity (e.g., per device or user). If the same entity triggers the rule again within the suppression window, no alert is generated.
Mistake
You must set the threshold to 0 to always generate an alert.
Correct
Threshold must be at least 1. Setting it to 0 is invalid and the rule will never fire.
Mistake
Custom detection rules run in real-time.
Correct
They are scheduled queries, not real-time. The minimum frequency is 1 hour, so there is always a delay.
Mistake
If a custom detection rule fails, you will receive an email notification.
Correct
There is no automatic notification. You must check the rule history in the portal to see failures.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The required columns are: Timestamp, AlertTitle, Severity, Category, Recommendation, EntityType, EntityId, EntityName, EntityRole, EntitySubType. However, the most critical ones that the exam focuses on are Timestamp, AlertTitle, Severity, Category, EntityType, and EntityId. If any of these are missing, the alert will not be generated. The query must project these columns explicitly.
First, check the rule's history in the Microsoft 365 Defender portal under Hunting > Custom detection rules. Select the rule and view its execution history. Look for failures such as 'Query timeout' or 'Missing required columns'. Also, test the query manually in Advanced Hunting to ensure it returns results. Verify that the rule is enabled and that the data source is available. Check that the time range matches the frequency. If the query returns rows but no alert, ensure the required columns are projected correctly.
Yes, you can configure automated actions in the rule's 'Actions' tab. You can link to a Microsoft Sentinel playbook or a Power Automate flow. For example, you can create a playbook that isolates a device when a certain alert fires. However, the playbook must be created in advance. The exam may test that you can attach a playbook to a custom detection rule.
Custom detection rules in Defender XDR are native to the Microsoft 365 Defender portal and use the Advanced Hunting schema. They are scheduled at fixed frequencies (1h, 6h, 12h, 24h). Analytics rules in Sentinel are part of Azure and use Log Analytics workspaces. They offer more flexibility in scheduling (every 5 minutes to 14 days) and can ingest data from many sources beyond Microsoft 365. Sentinel also provides more advanced analytics like fusion and anomaly detection.
The query may be truncated or may fail entirely. The rule will not generate an alert if the query fails. To avoid this, ensure your query is efficient and filters data appropriately. Use time filters and limit the columns returned. If you need to process large volumes, consider using Microsoft Sentinel instead.
The severity is set by the 'Severity' column in the query result. It must be a string value: 'Informational', 'Low', 'Medium', 'High', or 'Critical'. If the column is missing or has an invalid value, the alert defaults to 'Medium'. In the rule settings, you can also map severity values, but the query column takes precedence.
Yes, you can export the rule as an ARM template and then import it into Sentinel. However, you may need to adjust the KQL query to match the Sentinel schema (e.g., table names might differ). The exam may test that this capability exists, but not the exact steps.
You've just covered Custom Detection Rules in Defender XDR — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?