Scribd Logo
Upload

Welcome to Scribd!

  • Manage Microsoft Sentinel Analytics Rules Slides

    Uploaded by

    Jesse Oliveira
    44 views24 pages
    This document discusses how to manage analytics rules in Microsoft Sentinel. It covers how to: - Design and configure analytics rules to detect threats by creating custom rules or activating Microsoft's analytical rule templates. - Configure custom scheduled queries to search data on specific intervals and lookback periods. - Define incident creation logic to determine how alerts are grouped into actionable incidents.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses how to manage analytics rules in Microsoft Sentinel. It covers how to: - Design and configure analytics rules to detect threats by creating custom rules or activating Microsoft's analytical rule templates. - Configure custom scheduled queries to search data on specific intervals and lookback periods. - Define incident creation logic to determine how alerts are grouped into actionable incidents.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    44 views24 pages

    Manage Microsoft Sentinel Analytics Rules Slides

    Uploaded by

    Jesse Oliveira
    This document discusses how to manage analytics rules in Microsoft Sentinel. It covers how to: - Design and configure analytics rules to detect threats by creating custom rules or activating Microsoft's analytical rule templates. - Configure custom scheduled queries to search data on specific intervals and lookback periods. - Define incident creation logic to determine how alerts are grouped into actionable incidents.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    Manage Microsoft Sentinel

    Analytics Rules

    Michael J. Teske
    Principal Author Evangelist-Pluralsight
    Manage Microsoft Sentinel Analytics Rules

    Design and configure analytics rules


    - Create custom analytics rules to
    detect threats
    - Activate Microsoft Security
    analytical rules
    Configure custom scheduled queries
    - Configure connector provided
    scheduled queries

    Define incident creation logic


    Design and Configure Analytics Rules
    Design and Configure Analytics Rules

    Used to discover Alerts are created


    Rules search for
    threats and when rule
    specific events
    behaviors thresholds are met

    Respond to threats
    Generates incidents with automatic
    to be triaged tracking and
    remediation
    Design and Configure Analytics Rules

    Create analytical rules

    Define how events and alerts are processed

    Define how alerts and incidents are generated

    Choose automated threat responses for rules


    Creating and Configuring Analytics Rules
    Creating and Configuring Analytics Rules
    Creating and Configuring Analytics Rules
    Creating and Configuring Analytics Rules
    Other Alert Settings

    Event Grouping
    - Group all events into single alert
    - Trigger an alert for each rule

    Suppression
    - Set the Stop running query after alert is
    generated to On
    Automated Responses
    Activate Microsoft Security Analytical Rules

    Uses rule You can Can use rule to


    templates in the customize/modify make additional
    portal the template rules
    Activate Microsoft Security Analytical Rules
    Activate Microsoft Security Analytical Rules
    Configure Custom Scheduled Queries
    Custom Scheduled Queries
    Query intervals
    - Can be scheduled from every 5 minutes to
    once every 14 days
    Lookback period
    - Can query past 10 minutes or 6 hours

    Ingestion delay
    - Runs scheduled rules on a 5 minute delay
    from scheduled time
    Alert threshold
    - Set to zero if you want every event
    registered
    Query Scheduling
    Define Incident Creation Logic
    Define Incident
    Creation Logic
    Allows you to choose how Sentinel can
    turn alerts into actionable incidents
    Incident Logic Options

    Choose to have no Group alerts into a single


    incidents created incident if entities match

    Group all alerts triggered by Group alerts into a single


    rule into a single incident incident if details match
    Define Incident Creation Logic
    Demo
    Manage alert rules
    - Custom vs. templates
    - Incidents
    Design and configure analytics rules
    - Create custom analytics rules to
    Summary detect threats
    - Activate Microsoft Security
    analytical rules
    Configure custom scheduled queries
    - Configure connector provided
    scheduled queries
    Define incident creation logic
    Up Next:
    Manage Microsoft Sentinel Incidents

    You might also like