Creating Analytic Rules (part 2)

By Ashwin Venugopal -

 




To read part 1, please click here



Creating an Analytic Rule

You can easily create an analytic rule with the help of two methods- by using a rule template or using the built-in wizard.

Creating a rule from a rule template

If you want to use a rule template, you can simply select the rule in the list of rule templates. At the bottom of the details pane on the right side of the screen is a Create rule button which will take you to the Rule creation wizard pages if you click on it. The rule templates are based on the Fusion and machine learning rule types which allow you to determine if the rule should be enabled or not while creating it from the template. You can easily modify all of the fields of scheduled as well as Microsoft security rule types.

Creating a new rule using using the wizard

The wizard which is provided by Microsoft Sentinel to help you to create new analytic rules, consists of two or four pages according to the type of rule being created. There are two types of rules that can be created with the help of wizard- Scheduled query and Microsoft incident creation described as follows:

  • Creating a scheduled query rule- You can create a rule where you enter your own KQL query as follows- 

  1. Click on the +Create link at the top of the page showing a drop-down list to select Scheduled query rule.
  2. After choosing an option from the drop-down list you will be shown a General screen.
  3. After successfully filling all the fields, you can continue by clicking on Next: Set rule logic > where you can add your KQL code as well as entities while setting up the schedule and alert threshold.
  4. You can see more fields related to the Query scheduling and Alert threshold if you scroll down the page.
  5. Now, after filling all the remaining fields you can click on Next: Incident Settings > to continue or Previous button if you want to modify some values on the previous screen at any moment.
  6. The Incident settings page helps you to determine if you want an alert to create an incident or to group incidents together.
  7. After filling all the fields, you can click on Next: Automated response > to continue or Previous button. The Automated response page permits you to choose a playbook by simply clicking on its name, that can run automatically when an alert is generated.   
  8. After filling all the fields you can click on Next: Review > to continue or the Previous button. The Review and create screen will show you a review of all of your choices and validates your entries. But, if there is an issue, there will be an error message to let you know about the validation failure with a red dot next to the erroneous page name on it.
  9. Finally, after successfully filling as well as verifying all the details, you can click on the Create button to create a new rule. 
  • Creating a Microsoft incident rule- You can create this type of rule as follows-
  1. Click on the +Create link at the top of the page showing a drop-down list to select Microsoft incident creation rule.
  2. After choosing an option from the drop-down list you will be shown a General screen.
  3. After successfully filling all the fields, you can continue by clicking on Next: Review > where the Review and create screen will show you a review of all of your choices and helps you to check your entries to ensure their validity. But, if there is an issue, there will be an error message to let you know about the validation failure with a red dot next to the erroneous page name on it. 
  4. Finally, you can click on the Create button to create a new rule. 

Managing Analytic Rules

After the successful creation of your rules, you will have to manage them regularly to ensure their usefulness like tweak a rule to provide better results, change the playbooks assigned to a scheduled rule, disable a rule, or even delete ones that are no longer needed. Only those rules that re listed on the Active rules tab can be managed as follows:
  1. Firstly, click on the Active rules link.
  2. Now, click on the context menu to the right of the Last Modified column in the listing of rules to view a drop-down list showing following options-
  • Edit- Here, you can edit the rule to modify any of the fields as required. It will take you through the same pages of creating the rule with all of the saved parameters to make the necessary changes and save them.

  • Disable- As the name suggests, it will help you to disable the rule if it is no longer needed before completely deleting it or if you are going to perform an operation which will trigger the rule unnecessarily (but remember to re-enable it after you are done with the task).

  • Duplicate- Obviously it can create an exact copy of the selected rule that you can then edit. The name will be that of the existing rule appended with - copy X where X is the next number in series starting with 1. Hence, if the name of a rule is Test rule and you want to duplicate it, then it will be named as Test Rule - Copy 1 and if you again duplicate it, then it will be called Test Rule - Copy 2, and so on.

  • Delete- It can simply delete the rule while asking for confirmation of deletion with the help of a pop-up box. The best practice is to disable the rule first for a time period to ensure the uselessness of the particular rule before deleting it completely. 

If you can effectively manage your rules, you can ensure their validity and perform different tasks smoothly. 



To read part 1, please click here

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more