Creating Analytic Rules (part 1)

By Ashwin Venugopal -

 



To read part 2, please click here


An Introduction to Microsoft Sentinel Analytics

Microsoft Sentinel Analytics can help you to establish new rules to find the issues related to your environment, each of them with its own configuration steps suitable for the type of abnormalities you want to detect.

Types of Analytic Rules

The following are the various types of analytic rules described below:
  • Scheduled- It is named as such because these rules runs on a set of schedules to detect suspicious events and the queries uses KQL to define their findings. These rules are present in the large proportion of of the analytic rules.

  • Microsoft Security- They can create Microsoft Sentinel incidents from the alerts generated from the other Microsoft Security solutions. The following security solutions have their alerts passed through-

  1. Microsoft Cloud App Security
  2. Microsoft Defender for Cloud
  3. Azure Advanced Threat Protection
  4. Azure Active Directory Identity Protection
  5. Microsoft Defender Advanced Threat Protection

These are capable of offering a single location to go to see all of the alerts from Azure Security applications. 

  • Machine Learning Behavioral Analytics- Nowadays, these rules can only be created from templates that Microsoft offers and uses proprietary Microsoft machine learning algorithms to find suspicious events with the help of artificial intelligence as well as machine learning.

  • Fusion- It is also a machine learning technology that can combine information from various alerts to generate alerts about things that may not be easy to detect. It has proven to be a very powerful tool as some of the lower-severity alerts may not mean much if we look at them separately, but it's a whole new story if we combine them with the help of fusion.

Navigating through the Analytics Home Page

Here you can easily view, create, and manage various alerts. Firstly, you have to select Analytics from the left-hand navigation bar to access the Analytics Home Page which is further divided into- the header bar, the listing of rules and templates, and the detailed information section.

  • The Header Bar- On its left is the number of Active Rules that are currently in use, to the right is the listing of those rules along with the severity of alert they will create, and the far right is a link that can open a new tab where you can learn more about analytic rules. Below the header bar is present a selector to select either Active Rules or Rule Templates each having different information of their own. 

  • Rule & Template Listings- Here, you can easily view all of the rule templates that the Microsoft has pre-loaded from Microsoft Sentinel's GitHub repository for you to use by simply creating a rule from them to use them. Some of the rule templates, like Fusion rules or machine learning behavioral analytics, can only permits you to create a single rule from the templates while the others have no such restrictions. You can also use the search box to search for the Rule templates or Active rules if you knew at least a part of the title. 

  • Details Pane- By clicking on any row, you can view the details pane to the right of the listing having a fitting full name, preceding by an icon to match the rule type. Now, if you scroll the page down, there is a listing of tactics that the rule uses under the required data sources showing the types of tactics this rule is looking for. Below the rule query there are following details-  

  1. Rule Period- how far in the past the query will look for its data.
  2. Rule Frequency- how often the query will be run.
  3. Rule Threshold- how many occurrences of the query finding a result is required before an alert is generated.  
  4. Suppression Field (not visible)- state if the query has been suppressed or not, and also for how long.

However, if the rule is a Microsoft Security rule, then the Filter by Microsoft Security Service field can determine which other Microsoft Service is being used to generate the alerts. The Filter by Severity field can show the levels of security used to filter the incoming alerts while Filter by Alert Name can do the same for the names of the alerts.





To read part 2, please click here



Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more