Microsoft 365 Defender Real-Time Custom Detection Rules Previewed
Microsoft 365 Defender users are getting a public preview of the ability to set custom detection rules for near real-time security events, according to a Monday announcement.
Microsoft described some of the scenarios where custom detection rules in near real time could be used. Organizations may want to check for threat activity after a "recently disclosed vulnerability" becomes known. They also may want to check for, and remove, unwanted e-mails, or block "messages that spoof the recipient from a particular IP subnet."
The custom detection rules in near real time preview for Microsoft 365 Defender users will work "across email, endpoint, and identity, leading to faster response times and faster mitigation of threats," Microsoft promised. IT pros configure a custom rule using a wizard. If the custom rule matches an event, then an alert gets automatically sent.
The near real-time detections get set up using a "Continuous" setting. It's a new option on top of the "every one hour" and "every 24 hours" detection options.
The Continuous option only works with when querying one table using a "supported KQL operator." It doesn’t work with "unions or joins," Microsoft noted in this document, which also listed the supported KQL operators.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.