Creating Analytic Rules (part 2)
Creating an Analytic Rule
Creating a rule from a rule template
If you want to use a rule template, you can simply select the rule in the list of rule templates. At the bottom of the details pane on the right side of the screen is a Create rule button which will take you to the Rule creation wizard pages if you click on it. The rule templates are based on the Fusion and machine learning rule types which allow you to determine if the rule should be enabled or not while creating it from the template. You can easily modify all of the fields of scheduled as well as Microsoft security rule types.
Creating a new rule using using the wizard
The wizard which is provided by Microsoft Sentinel to help you to create new analytic rules, consists of two or four pages according to the type of rule being created. There are two types of rules that can be created with the help of wizard- Scheduled query and Microsoft incident creation described as follows:
- Creating a scheduled query rule- You can create a rule where you enter your own KQL query as follows-
- Click on the +Create link at the top of the page showing a drop-down list to select Scheduled query rule.
- After choosing an option from the drop-down list you will be shown a General screen.
- After successfully filling all the fields, you can continue by clicking on Next: Set rule logic > where you can add your KQL code as well as entities while setting up the schedule and alert threshold.
- You can see more fields related to the Query scheduling and Alert threshold if you scroll down the page.
- Now, after filling all the remaining fields you can click on Next: Incident Settings > to continue or Previous button if you want to modify some values on the previous screen at any moment.
- The Incident settings page helps you to determine if you want an alert to create an incident or to group incidents together.
- After filling all the fields, you can click on Next: Automated response > to continue or Previous button. The Automated response page permits you to choose a playbook by simply clicking on its name, that can run automatically when an alert is generated.
- After filling all the fields you can click on Next: Review > to continue or the Previous button. The Review and create screen will show you a review of all of your choices and validates your entries. But, if there is an issue, there will be an error message to let you know about the validation failure with a red dot next to the erroneous page name on it.
- Finally, after successfully filling as well as verifying all the details, you can click on the Create button to create a new rule.
- Creating a Microsoft incident rule- You can create this type of rule as follows-
- Click on the +Create link at the top of the page showing a drop-down list to select Microsoft incident creation rule.
- After choosing an option from the drop-down list you will be shown a General screen.
- After successfully filling all the fields, you can continue by clicking on Next: Review > where the Review and create screen will show you a review of all of your choices and helps you to check your entries to ensure their validity. But, if there is an issue, there will be an error message to let you know about the validation failure with a red dot next to the erroneous page name on it.
- Finally, you can click on the Create button to create a new rule.
Managing Analytic Rules
- Firstly, click on the Active rules link.
- Now, click on the context menu to the right of the Last Modified column in the listing of rules to view a drop-down list showing following options-
- Edit- Here, you can edit the rule to modify any of the fields as required. It will take you through the same pages of creating the rule with all of the saved parameters to make the necessary changes and save them.
- Disable- As the name suggests, it will help you to disable the rule if it is no longer needed before completely deleting it or if you are going to perform an operation which will trigger the rule unnecessarily (but remember to re-enable it after you are done with the task).
- Duplicate- Obviously it can create an exact copy of the selected rule that you can then edit. The name will be that of the existing rule appended with - copy X where X is the next number in series starting with 1. Hence, if the name of a rule is Test rule and you want to duplicate it, then it will be named as Test Rule - Copy 1 and if you again duplicate it, then it will be called Test Rule - Copy 2, and so on.
- Delete- It can simply delete the rule while asking for confirmation of deletion with the help of a pop-up box. The best practice is to disable the rule first for a time period to ensure the uselessness of the particular rule before deleting it completely.
Comments
Post a Comment