Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,328 questions
Microsoft XDR (Defender) - How to export - Advanced Hunting - Custom Detection Rules
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 82%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
viri4to
10
Reputation points
Hello everyone,
Our team is trying to export the Custom Detection Rules. We have more than 50 rules, so we need an automated process that allows us to export and import the rules.
Currently, we see that the API function that allows this is still in beta: https://zcusa.951200.xyz/es-es/graph/api/security-detectionrule-get?view=graph-rest-beta&tabs=http.
We would also like to have version control for these rules. The idea would be to export them, upload them to a version control repository, and be able to sync the rules from there for different Microsoft XDR tenants. This would be similar to what exists with Analytics rules in Sentinel, which can be deployed through GitHub or Azure DevOps.
Any idea how we could achieve this without using the beta version of Graph or if there are plans for the API to launch stable versions?
thx
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 45%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWS%3C/text%3E%3C/svg%3E)
Wiszowaty, Sebastian 20 Reputation points2024-11-08T09:52:07.4366667+00:00 Same here, we've tried to 'replicate' said detection rules but are facing 400 errors when actually trying to use POST to push them - without any clear indicators on why they had failed (error is non descript).
Sign in to comment
Sign in to answer