Domain 2 of 4 · Chapter 2 of 3

Configure Detections in Microsoft Defender XDR

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • Three detection-engineering jobs in Defender XDR
  • Custom detection rules: query, frequency, actions
  • Alert tuning: hide, resolve, or set as behavior
  • Alert correlation and incident merging
  • Deception: decoys, lures, and rules
  • Exam pattern recognition

Three detection-engineering jobs in Defender XDR

JobCustom detection rulesAlert management (tuning + correlation)Deception rules
What you buildA scheduled KQL query that alertsConditions that hide/resolve/reclassify, plus incident links/mergesDecoy accounts/hosts and planted lures
Primary goalDetect new threats from your own logicCut noise and tell one coherent attack storyEarly-warning trap for attacker recon
Key controlFrequency: Continuous (NRT) to Every 24 hoursHide / Resolve / Set as behavior; link / mergeDefault rule plus up to 10 rules
OutputAlerts (ea-prefixed) plus optional auto-responseFewer, better-grouped incidentsHigh-confidence alert on any interaction
Hard limit150 alerts per runManual merge up to 5 incidents at onceLures on onboarded Windows clients only

Decision tree

What is the goal?detect, de-noise, group, or trapDetect from my logiccustom detection ruleDetectCut known noisealert tuningDe-noiseDeception ruledecoys + lures, early warningTrap attackerSingle table, no joins?NRT eligibilityContinuous (NRT)near real-timeYesScheduled tier1h / 3h / 12h / 24hNoHide / Resolve /Set as behaviorAlerts are one attack?correlation groups themGroupManual merge (up to 5)if auto-merge was blockedCustom rule actions can isolate device, disable user, or delete email

Cheat sheet

  • A custom detection rule is a scheduled advanced hunting query that alerts and acts
  • Custom detection rules run at one of five frequencies
  • Continuous (NRT) frequency needs a single table with no joins
  • Custom frequency from 5 minutes to 14 days is Sentinel-data only
  • Each custom detection rule generates at most 150 alerts per run
  • Custom detection rules can auto-respond on devices, files, users, and emails
  • Custom detection alerts carry an ea-prefixed alert ID
  • Managing custom detections needs the manage security settings permission
  • Alert tuning is the current name for alert suppression
  • Alert tuning rules do one of three actions: Hide, Resolve, or Set as behavior
  • Alert tuning hides noise but never deletes the telemetry
  • Tuning automates future matches; classification only records a verdict
  • Defender XDR ships built-in alert tuning rules for common benign activity
  • Correlation places each alert into a new or existing incident
  • Correlation keys on shared entities, artifacts, time, and attack sequence
  • Merging migrates a source incident into a target and closes the source
  • Several conditions block an automatic incident merge
  • You can manually merge up to five incidents at once
  • Every alert must belong to an incident, so you link rather than orphan it
  • Only the primary Sentinel workspace correlates with Defender XDR alerts
  • Deception plants decoys and lures so any interaction is an attacker
  • Decoys are the fake assets; lures are the breadcrumbs that point to them
  • Enabling deception creates one editable default rule
  • Defender XDR supports up to 10 deception rules
  • Deception lures are planted on onboarded Windows clients
  • Custom detection rules auto-map entities for XDR tables but require manual mapping for Sentinel tables
  • Tune custom detections by editing the query, not with suppression
  • Automatic attack disruption marks the incident with an Attack Disruption tag and a yellow banner

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules
  2. https://learn.microsoft.com/en-us/defender-xdr/investigate-alerts
  3. https://learn.microsoft.com/en-us/defender-xdr/alerts-incidents-correlation
  4. https://learn.microsoft.com/en-us/defender-xdr/deception-overview
  5. https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview