ESC
Type to search...

CustomDetection.ReadWrite.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write All Resources

Allows the app to read and write custom detection rules without a signed-in user.

Permission data: July 5, 2026 at 7:09 PM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write all custom detection rules

Allows the app to read and write custom detection rules without a signed-in user.

Delegated Permission Admin consent required

Read and write custom detection rules

Allows the app to read and write custom detection rules on behalf of the signed-in user.

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
alerts alert collection
alerts_v2 security.alert collection A collection of alerts in Microsoft 365 Defender.
attackSimulation object
cases object
collaboration object
dataSecurityAndGovernance object
id string The unique identifier for an entity. Read-only.
identities object A container for security identities APIs.
incidents security.incident collection A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack.
labels object
secureScoreControlProfiles secureScoreControlProfile collection
secureScores secureScore collection
subjectRightsRequests subjectRightsRequest collection
threatIntelligence object
triggers object

Showing 15 of 16 properties.

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation
{}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
alerts alert collection Read-only. Nullable.
alertsv2 security.alert collection A collection of alerts in Microsoft 365 Defender.
data security and compliance tenantDataSecurityAndGovernance A container for Microsoft Purview data security and compliance APIs.
identities security.identityContainer A container for security identities APIs.
incidents security.incident collection A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack.
alerts_v2 security.alert collection A collection of alerts in Microsoft 365 Defender.
secureScoreControlProfiles secureScoreControlProfile collection Related secureScoreControlProfiles data exposed by this resource.
secureScores secureScore collection Related secureScores data exposed by this resource.
subjectRightsRequests subjectRightsRequest collection Related subjectRightsRequests data exposed by this resource.
cloudAppSecurityProfiles cloudAppSecurityProfile collection Related cloudAppSecurityProfiles data exposed by this resource.
domainSecurityProfiles domainSecurityProfile collection Related domainSecurityProfiles data exposed by this resource.
fileSecurityProfiles fileSecurityProfile collection Related fileSecurityProfiles data exposed by this resource.
hostSecurityProfiles hostSecurityProfile collection Related hostSecurityProfiles data exposed by this resource.
incidentTasks security.incidentTask collection A collection of tasks associated with security incidents.
ipSecurityProfiles ipSecurityProfile collection Related ipSecurityProfiles data exposed by this resource.
providerTenantSettings providerTenantSetting collection Related providerTenantSettings data exposed by this resource.
securityActions securityAction collection Related securityActions data exposed by this resource.
tiIndicators tiIndicator collection Deprecated. The tiIndicator entity is deprecated and will be removed by April 2026.
userSecurityProfiles userSecurityProfile collection Related userSecurityProfiles data exposed by this resource.
zones security.zone collection A collection of cloud zones in Microsoft Defender for Cloud that group and manage cloud environments across multiple cloud providers.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /security/rules/detectionRules
GET /security/rules/detectionRules/{detectionRuleId}
POST /security/rules/detectionRules
PATCH /security/rules/detectionRules/{detectionRuleId}
DELETE /security/rules/detectionRules/{detectionRuleId}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaSecurityRuleDetectionRule /security/rules/detectionRules
List detectionRule objects
Get-MgBetaSecurityRuleDetectionRule /security/rules/detectionRules/{detectionRuleId}
Get detectionRule
New-MgBetaSecurityRuleDetectionRule /security/rules/detectionRules
Create detectionRule
Remove-MgBetaSecurityRuleDetectionRule /security/rules/detectionRules/{detectionRuleId}
Delete detectionRule
Update-MgBetaSecurityRuleDetectionRule /security/rules/detectionRules/{detectionRuleId}
Update detectionRule

Code Examples

C# / .NET SDK
Create detectionRule
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models.Security;
using Microsoft.Kiota.Abstractions.Serialization;

var requestBody = new DetectionRule
{
	OdataType = "#microsoft.graph.security.detectionRule",
	Id = "office-encoded-powershell",
	DisplayName = "Suspicious encoded PowerShell from Office",
	QueryCondition = new QueryCondition
	{
		QueryText = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'",
	},
	Schedule = new RuleSchedule
	{
		AdditionalData = new Dictionary<string, object>
		{
			{
				"frequency" , "PT1H"
			},
		},
	},
	DetectionAction = new DetectionAction
	{
		AlertTemplate = new AlertTemplate
		{
			Title = "Suspicious encoded PowerShell from Office",
			Description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
			Severity = AlertSeverity.High,
			RecommendedActions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
			AdditionalData = new Dictionary<string, object>
			{
				{
					"entityMappings" , new UntypedObject(new Dictionary<string, UntypedNode>
					{
						{
							"accounts", new UntypedArray(new List<UntypedNode>
							{
								new UntypedObject(new Dictionary<string, UntypedNode>
								{
									{
										"nameColumn", new UntypedString("AccountName")
									},
									{
										"ntDomainColumn", new UntypedString("AccountDomain")
									},
									{
										"sidColumn", new UntypedString("AccountSid")
									},
								}),
							})
						},
						{
							"hosts", new UntypedArray(new List<UntypedNode>
							{
								new UntypedObject(new Dictionary<string, UntypedNode>
								{
									{
										"deviceIdColumn", new UntypedString("DeviceId")
									},
									{
										"nameColumn", new UntypedString("DeviceName")
									},
								}),
							})
						},
						{
							"files", new UntypedArray(new List<UntypedNode>
							{
								new UntypedObject(new Dictionary<string, UntypedNode>
								{
									{
										"nameColumn", new UntypedString("FileName")
									},
									{
										"sha1Column", new UntypedString("SHA1")
									},
									{
										"sha256Column", new UntypedString("SHA256")
									},
								}),
							})
						},
					})
				},
				{
					"tactics" , new List<object>
					{
						new UntypedObject(new Dictionary<string, UntypedNode>
						{
							{
								"tactic", new UntypedString("Execution")
							},
							{
								"techniques", new UntypedArray(new List<UntypedNode>
								{
									new UntypedObject(new Dictionary<string, UntypedNode>
									{
										{
											"technique", new UntypedString("T1059.001")
										},
									}),
								})
							},
						}),
					}
				},
			},
		},
	},
	AdditionalData = new Dictionary<string, object>
	{
		{
			"description" , "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern."
		},
		{
			"status" , "enabled"
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Rules.DetectionRules.PostAsync(requestBody);
JavaScript
Create detectionRule
const options = {
	authProvider,
};

const client = Client.init(options);

const detectionRule = {
  '@odata.type': '#microsoft.graph.security.detectionRule',
  id: 'office-encoded-powershell',
  displayName: 'Suspicious encoded PowerShell from Office',
  description: 'Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.',
  status: 'enabled',
  queryCondition: {
    queryText: 'DeviceProcessEvents | where InitiatingProcessFileName in~ (\'winword.exe\',\'excel.exe\',\'outlook.exe\') | where FileName == \'powershell.exe\' | where ProcessCommandLine has \'-enc\''
  },
  schedule: {
    frequency: 'PT1H'
  },
  detectionAction: {
    alertTemplate: {
      title: 'Suspicious encoded PowerShell from Office',
      description: 'An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.',
      severity: 'high',
      recommendedActions: 'Investigate the parent Office document, isolate the device, and review the user\'s recent email activity.',
      entityMappings: {
        accounts: [
          {
            nameColumn: 'AccountName',
            ntDomainColumn: 'AccountDomain',
            sidColumn: 'AccountSid'
          }
        ],
        hosts: [
          {
            deviceIdColumn: 'DeviceId',
            nameColumn: 'DeviceName'
          }
        ],
        files: [
          {
            nameColumn: 'FileName',
            sha1Column: 'SHA1',
            sha256Column: 'SHA256'
          }
        ]
      },
      tactics: [
        {
          tactic: 'Execution',
          techniques: [
            {
              technique: 'T1059.001'
            }
          ]
        }
      ]
    }
  }
};

await client.api('/security/rules/detectionRules')
	.version('beta')
	.post(detectionRule);
PowerShell
Create detectionRule
Import-Module Microsoft.Graph.Beta.Security

$params = @{
	"@odata.type" = "#microsoft.graph.security.detectionRule"
	id = "office-encoded-powershell"
	displayName = "Suspicious encoded PowerShell from Office"
	description = "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern."
	status = "enabled"
	queryCondition = @{
		queryText = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'"
	}
	schedule = @{
		frequency = "PT1H"
	}
	detectionAction = @{
		alertTemplate = @{
			title = "Suspicious encoded PowerShell from Office"
			description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution."
			severity = "high"
			recommendedActions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity."
			entityMappings = @{
				accounts = @(
					@{
						nameColumn = "AccountName"
						ntDomainColumn = "AccountDomain"
						sidColumn = "AccountSid"
					}
				)
				hosts = @(
					@{
						deviceIdColumn = "DeviceId"
						nameColumn = "DeviceName"
					}
				)
				files = @(
					@{
						nameColumn = "FileName"
						sha1Column = "SHA1"
						sha256Column = "SHA256"
					}
				)
			}
			tactics = @(
				@{
					tactic = "Execution"
					techniques = @(
						@{
							technique = "T1059.001"
						}
					)
				}
			)
		}
	}
}

New-MgBetaSecurityRuleDetectionRule -BodyParameter $params
Python
Create detectionRule
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.security.detection_rule import DetectionRule
from msgraph_beta.generated.models.security.query_condition import QueryCondition
from msgraph_beta.generated.models.security.rule_schedule import RuleSchedule
from msgraph_beta.generated.models.security.detection_action import DetectionAction
from msgraph_beta.generated.models.security.alert_template import AlertTemplate
from msgraph_beta.generated.models.alert_severity import AlertSeverity
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DetectionRule(
	odata_type = "#microsoft.graph.security.detectionRule",
	id = "office-encoded-powershell",
	display_name = "Suspicious encoded PowerShell from Office",
	query_condition = QueryCondition(
		query_text = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'",
	),
	schedule = RuleSchedule(
		additional_data = {
				"frequency" : "PT1H",
		}
	),
	detection_action = DetectionAction(
		alert_template = AlertTemplate(
			title = "Suspicious encoded PowerShell from Office",
			description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
			severity = AlertSeverity.High,
			recommended_actions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
			additional_data = {
					"entity_mappings" : {
							"accounts" : [
								{
										"name_column" : "AccountName",
										"nt_domain_column" : "AccountDomain",
										"sid_column" : "AccountSid",
								},
							],
							"hosts" : [
								{
										"device_id_column" : "DeviceId",
										"name_column" : "DeviceName",
								},
							],
							"files" : [
								{
										"name_column" : "FileName",
										"sha1_column" : "SHA1",
										"sha256_column" : "SHA256",
								},
							],
					},
					"tactics" : [
						{
								"tactic" : "Execution",
								"techniques" : [
									{
											"technique" : "T1059.001",
									},
								],
						},
					],
			}
		),
	),
	additional_data = {
			"description" : "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.",
			"status" : "enabled",
	}
)

result = await graph_client.security.rules.detection_rules.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for CustomDetection.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent.