Microsoft XDR (Defender) - How to export - Advanced Hunting - Custom Detection Rules

viri4to 10 Reputation points
2024-11-07T15:08:58.0766667+00:00

Hello everyone,

Our team is trying to export the Custom Detection Rules. We have more than 50 rules, so we need an automated process that allows us to export and import the rules.

Currently, we see that the API function that allows this is still in beta: https://learn.microsoft.com/es-es/graph/api/security-detectionrule-get?view=graph-rest-beta&tabs=http.

We would also like to have version control for these rules. The idea would be to export them, upload them to a version control repository, and be able to sync the rules from there for different Microsoft XDR tenants. This would be similar to what exists with Analytics rules in Sentinel, which can be deployed through GitHub or Azure DevOps.

Any idea how we could achieve this without using the beta version of Graph or if there are plans for the API to launch stable versions?

thx

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,370 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,937 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,856 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,422 questions
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
50 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.