Detection Rules
Defend evaluates endpoint telemetry against 157+ detection rules to identify threats. Rules range from signature-based IOC matches to behavioral anomaly detection powered by AI.
Rule Types
Signature-Based Rules
Match specific indicators of compromise — file hashes, IP addresses, domains, registry keys, or command-line patterns known to be malicious.
Example: A process writes to a known ransomware extension pattern (.encrypted, .locked, .crypted).
Behavioral Rules
Detect suspicious sequences of events regardless of the specific tool used. These rules look for techniques, not signatures.
Example: A process spawns PowerShell with an encoded command, which then makes an outbound HTTP connection to a non-standard port.
Anomaly Rules (AI Baseline Deviation)
Triggered when a device's current behavior deviates significantly from its established behavioral baseline. These rules use the AI anomaly score.
Example: A workstation that normally runs 15 processes suddenly spawns 80+ processes including reconnaissance tools — the anomaly score exceeds the threshold.
Severity Levels
| Severity | Evaluation Frequency | Auto-Response | Action |
|---|---|---|---|
| Critical | Every 1 minute | Auto-isolate (if configured) | Alert created, On-Call paged |
| High | Every 5 minutes | Auto-kill process (if configured) | Alert created |
| Medium | Every 5 minutes | None | Detection created |
| Low | Every 5 minutes | None | Detection created |
| Informational | Every 5 minutes | None | Logged only |
Critical rules run on a faster cadence because they detect active, high-impact attacks (ransomware, credential dumping, lateral movement).
Built-In Rules
Defend ships with 157+ built-in rules maintained by the threat intelligence team. These rules are:
- Mapped to MITRE ATT&CK techniques
- Automatically updated as new threats emerge
- Versioned — you can see when a rule was last updated
- Categorized by tactic and technique
You cannot modify built-in rules, but you can add exclusions to suppress false positives.
Custom Detection Rules
Create your own rules using KQL (Kusto Query Language) queries against your ADX telemetry:
- Navigate to Detection Rules → Custom Rules
- Write a KQL query that identifies the behavior you want to detect
- Set the severity level and MITRE technique mapping
- Test the rule against historical telemetry to validate detection rates and false positive rates
- Activate the rule
Example custom rule — detect use of a specific LOLBin:
ProcessEvents
| where process_name == "mshta.exe"
| where command_line has_any ("javascript:", "vbscript:", "http://", "https://")
| where timestamp > ago(5m)
Rule Exclusions
To suppress false positives for known-good software:
- Open the detection or rule that triggered
- Click Add Exclusion
- Define the exclusion criteria (process name, path, hash, command-line pattern, or device group)
- The exclusion applies to that rule only — other rules are unaffected
Rule Testing
Before activating a custom rule, test it against historical telemetry:
- Click Test Rule on the custom rule editor
- Select a time range (last 24 hours, 7 days, or 30 days)
- Review the matches — check for false positives and missed detections
- Adjust the query and retest until satisfied
Rule Update Notifications
When built-in rules are updated, you'll see a notification in the Defend console with:
- Which rules changed and what was updated
- New techniques added
- Rules deprecated (with replacement references)
Next Steps
- Behavioral AI — Anomaly-based detection details
- Threat Investigation — Investigating detections
- IOC Feeds — Indicator feeds that power signature rules