Creating Analytic Rules (part 1)

 



To read part 2, please click here


An Introduction to Microsoft Sentinel Analytics

Microsoft Sentinel Analytics can help you to establish new rules to find the issues related to your environment, each of them with its own configuration steps suitable for the type of abnormalities you want to detect.

Types of Analytic Rules

The following are the various types of analytic rules described below:
  • Scheduled- It is named as such because these rules runs on a set of schedules to detect suspicious events and the queries uses KQL to define their findings. These rules are present in the large proportion of of the analytic rules.

  • Microsoft Security- They can create Microsoft Sentinel incidents from the alerts generated from the other Microsoft Security solutions. The following security solutions have their alerts passed through-

  1. Microsoft Cloud App Security
  2. Microsoft Defender for Cloud
  3. Azure Advanced Threat Protection
  4. Azure Active Directory Identity Protection
  5. Microsoft Defender Advanced Threat Protection

These are capable of offering a single location to go to see all of the alerts from Azure Security applications. 

  • Machine Learning Behavioral Analytics- Nowadays, these rules can only be created from templates that Microsoft offers and uses proprietary Microsoft machine learning algorithms to find suspicious events with the help of artificial intelligence as well as machine learning.

  • Fusion- It is also a machine learning technology that can combine information from various alerts to generate alerts about things that may not be easy to detect. It has proven to be a very powerful tool as some of the lower-severity alerts may not mean much if we look at them separately, but it's a whole new story if we combine them with the help of fusion.

Navigating through the Analytics Home Page

Here you can easily view, create, and manage various alerts. Firstly, you have to select Analytics from the left-hand navigation bar to access the Analytics Home Page which is further divided into- the header bar, the listing of rules and templates, and the detailed information section.

  • The Header Bar- On its left is the number of Active Rules that are currently in use, to the right is the listing of those rules along with the severity of alert they will create, and the far right is a link that can open a new tab where you can learn more about analytic rules. Below the header bar is present a selector to select either Active Rules or Rule Templates each having different information of their own. 

  • Rule & Template Listings- Here, you can easily view all of the rule templates that the Microsoft has pre-loaded from Microsoft Sentinel's GitHub repository for you to use by simply creating a rule from them to use them. Some of the rule templates, like Fusion rules or machine learning behavioral analytics, can only permits you to create a single rule from the templates while the others have no such restrictions. You can also use the search box to search for the Rule templates or Active rules if you knew at least a part of the title. 

  • Details Pane- By clicking on any row, you can view the details pane to the right of the listing having a fitting full name, preceding by an icon to match the rule type. Now, if you scroll the page down, there is a listing of tactics that the rule uses under the required data sources showing the types of tactics this rule is looking for. Below the rule query there are following details-  

  1. Rule Period- how far in the past the query will look for its data.
  2. Rule Frequency- how often the query will be run.
  3. Rule Threshold- how many occurrences of the query finding a result is required before an alert is generated.  
  4. Suppression Field (not visible)- state if the query has been suppressed or not, and also for how long.

However, if the rule is a Microsoft Security rule, then the Filter by Microsoft Security Service field can determine which other Microsoft Service is being used to generate the alerts. The Filter by Severity field can show the levels of security used to filter the incoming alerts while Filter by Alert Name can do the same for the names of the alerts.





To read part 2, please click here



Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)