Once you have connected your data sources to Azure Sentinel, you'll want to be notified when something suspicious occurs. That's why Azure Sentinel provides out-of-the-box, built-in templates to help you create threat detection rules. These templates were designed by Microsoft's team of security experts and analysts based on known threats, common attack vectors, and suspicious activity escalation chains. Rules created from these templates will automatically search across your environment for any activity that looks suspicious. Many of the templates can be customized to search for activities, or filter them out, according to your needs. The alerts generated by these rules will create incidents that you can assign and investigate in your environment.
About out-of-the-box detections
To view all the out-of-the-box detections, go to Analytics and then Rule templates. This tab contains all the Azure Sentinel built-in rules.
The following sections describe the types of out-of-the-box templates available:
Microsoft security
Microsoft security templates automatically create Azure Sentinel incidents from the alerts generated in other Microsoft security solutions, in real time. You can use Microsoft security rules as a template to create new rules with similar logic.
For more information about security rules, see Automatically create incidents from Microsoft security alerts.
Fusion
Based on Fusion technology, advanced multistage attack detection in Azure Sentinel uses scalable machine learning algorithms that can correlate many low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents. Fusion is enabled by default. Because the logic is hidden and therefore not customizable, you can only create one rule with this template.
In addition, the Fusion engine can now correlate alerts produced by scheduled analytics rules with those from other systems, producing high-fidelity incidents as a result.
Important
Some of the detections in the Fusion rule template are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
To see which detections are in preview, see Advanced multistage attack detection in Azure Sentinel.
Machine learning (ML) behavioral analytics
These templates are based on proprietary Microsoft machine learning algorithms, so you cannot see the internal logic of how they work and when they run. Because the logic is hidden and therefore not customizable, you can only create one rule with each template of this type.
Important
-
The machine learning behavioral analytics rule templates are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
By creating and enabling any rules based on the ML behavior analytics templates, you give Microsoft permission to copy ingested data outside of your Azure Sentinel workspace's geography as necessary for processing by the machine learning engines and models.
Anomaly
Anomaly rule templates use SOC-ML (machine learning) to detect specific types of anomalous behavior. Each rule has its own unique parameters and thresholds, appropriate to the behavior being analyzed, and while its configuration can't be changed or fine-tuned, you can duplicate the rule, change and fine-tune the duplicate, run the duplicate in Flighting mode and the original concurrently in Production mode, compare results, and switch the duplicate to Production if and when its fine-tuning is to your liking. Learn more about SOC-ML and working with anomaly rules.
Important
The Anomaly rule templates are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Scheduled
Scheduled analytics rules are based on built-in queries written by Microsoft security experts. You can see the query logic and make changes to it. You can use the scheduled rules template and customize the query logic and scheduling settings to create new rules.
Several new scheduled analytics rule templates produce alerts that are correlated by the Fusion engine with alerts from other systems to produce high-fidelity incidents. See Advanced multistage attack detection for details.
Tip
Rule scheduling options include configuring the rule to run every specified number of minutes, hours, or days, with the clock starting when you enable the rule.
We recommend being mindful of when you enable a new or edited analytics rule to ensure that the rules will get the new stack of incidents in time. For example, you might want to run a rule in synch with when your SOC analysts begin their workday, and enable the rules then.
Use out-of-the-box detections
-
In order to use a built-in template, click the template name, and then click the Create rule button on the details pane to create a new active rule based on that template. Each template has a list of required data sources. When you open the template, the data sources are automatically checked for availability. If there is an availability issue, the Create rule button may be disabled, or you may see a warning to that effect.
-
Clicking the Create rule button opens the rule creation wizard based on the selected template. All the details are autofilled, and with the Scheduled or Microsoft security templates, you can customize the logic and other rule settings to better suit your specific needs. You can repeat this process to create additional rules based on the built-in template. After following the steps in the rule creation wizard to the end, you will have finished creating a rule based on the template. The new rules will appear in the Active rules tab.
Microsoft Documentation: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-built-in
Comments
0 comments
Article is closed for comments.