| title | detectionRule resource type |
|---|---|
| description | Represents a custom detection rule written in Advanced hunting to automatically recognize security events when they occur, and to trigger alerts and response actions. |
| author | mmekler |
| ms.localizationpriority | medium |
| ms.subservice | security |
| doc_type | resourcePageType |
| ms.date | 06/06/2024 |
Namespace: microsoft.graph.security
[!INCLUDE beta-disclaimer]
Represents a custom detection rule written in Advanced hunting to automatically recognize security events when they occur, and to trigger alerts and response actions.
Custom detection rules are types of protection rules that you can design and tweak by using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. A custom detection rule automatically recognizes security events when they occur, and triggers alerts and response actions. You can set them to run at regular intervals, generating alerts and taking response actions whenever matches occur.
Inherits from microsoft.graph.security.protectionRule.
| Method | Return type | Description |
|---|---|---|
| List | microsoft.graph.security.detectionRule collection | Get a list of the microsoft.graph.security.detectionRule objects and their properties. |
| Get | microsoft.graph.security.detectionRule | Read the properties and relationships of a microsoft.graph.security.detectionRule object. |
| Create | microsoft.graph.security.detectionRule | Create a microsoft.graph.security.detectionRule. |
| Update | microsoft.graph.security.detectionRule | Update the properties of a microsoft.graph.security.detectionRule object. |
| Delete | None | Delete a microsoft.graph.security.detectionRule object. |
| Property | Type | Description |
|---|---|---|
| createdBy | String | Name of the user or application that created the rule. Inherited from microsoft.graph.security.protectionRule. |
| createdDateTime | DateTimeOffset | Timestamp of rule creation. Inherited from microsoft.graph.security.protectionRule. |
| detectionAction | microsoft.graph.security.detectionAction | Complex type representing the actions taken when a detection is made by this rule. |
| displayName | String | Name of the rule. Inherited from microsoft.graph.security.protectionRule. |
| id | String | Unique identifier to represent the rule. Inherited from microsoft.graph.entity. |
| isEnabled | Boolean | Indicates whether rule is turned on for the tenant. Inherited from microsoft.graph.security.protectionRule. |
| lastModifiedBy | String | Name of user or application who last updated the rule. Inherited from microsoft.graph.security.protectionRule. |
| lastModifiedDateTime | DateTimeOffset | Timestamp of when the rule was last updated. Inherited from microsoft.graph.security.protectionRule. |
| detectorId | String | The ID of the detector that triggered the alert. Also see the 'detectorId' field in microsoft.graph.security.alert. |
| lastRunDetails | microsoft.graph.security.runDetails | Complex type holding details about the last run of this rule. |
| queryCondition | microsoft.graph.security.queryCondition | Complex type holding data about the advanced hunting query of this rule. |
| schedule | microsoft.graph.security.ruleSchedule | Complex type holding data about the triggering schedule of this rule. |
None.
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "String (identifier)",
"displayName": "String",
"isEnabled": "Boolean",
"detectorId": "String",
"createdBy": "String",
"createdDateTime": "String (timestamp)",
"lastModifiedDateTime": "String (timestamp)",
"lastModifiedBy": "String",
"queryCondition": {
"@odata.type": "microsoft.graph.security.queryCondition"
},
"schedule": {
"@odata.type": "microsoft.graph.security.ruleSchedule"
},
"lastRunDetails": {
"@odata.type": "microsoft.graph.security.runDetails"
},
"detectionAction": {
"@odata.type": "microsoft.graph.security.detectionAction"
}
}