One of the domains you’d need to master is the configuration and design of analytics rules. Thus, it’s crucial to understand the architecture of Azure Sentinel analytics, from basic alert rules to more advanced machine learning models. This post will cover how to design and configure analytics rules, based on the SC-200 Microsoft Security Operations Analyst certification guide.
Understanding Azure Sentinel
Azure Sentinel is Microsoft’s cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It provides intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Designing Analytics Rules
The design of analytics rules in Azure Sentinel involves specifying the logic that drives alert generation. Analytics rule query, rule logic, and incident creation settings shape each alert rule.
Let’s consider an example:
Suppose a company wants to monitor for failed login attempts. An overabundance of such events could indicate an attempted breach. A rule can be designed that triggers an alert when five or more failed login attempts occur within a given 5-minute window.
The core elements of this design are:
- Event: Failed login attempt
- Threshold: More than five events
- Time frame: Within a 5-minute window
Capitalizing on Sentinel’s KQL (Kusto Query Language), the rule’s logic may look something like this:
AzureActivity
| where OperationNameValue == ‘Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action’
| where ActivityStatusValue == ‘Failed’
| summarize count() by bin(TimeGenerated, 5m)
| where count_ > 5
Configuring Analytics Rules
According to the analytics rule type, the configuration may differ. Here are the primary forms of analytics rules:
- Scheduled query rules: Deployed using KQL queries and run at specified intervals.
- Microsoft Incident Creation rule: Utilizes built-in Machine Learning algorithms to identify incident potentially worth investigating.
- Fusion rule: Combines alerts that are part of the same attack to a single incident.
For the aforementioned example, here’s how we could go about configuring a scheduled query:
- Go to Azure Sentinel -> Analytics.
- Click “+ Create” -> Scheduled query rule.
- Fill in the basic information (i.e., Name, Description, Severity, Status) in the General section.
- In the Set Rule Logic section, paste the KQL query designed.
- Set the Rule frequency and period based on the organization’s need.
- Enable “Create incidents” and determine the grouping of alerts into incidents.
- Review and create the rule.
However, in the case of Microsoft Incident Creation rule and Fusion rule, the configuration steps will be very different.
Remember, the primary goal behind designing and configuring analytics rules in Azure Sentinel is to proactively identify security threats before they can cause significant harm. An adept understanding of your organizational needs, coupled with a solid grasp of KQL and Azure Sentinel’s rule types, can significantly elevate your threat detection and response capabilities.
Remember, each situation is unique, and configuring rules requires a clear understanding of an organization’s specific needs, resources, and potential threats. The skillset delivered in SC-200 Microsoft Security Operations Analyst exam prepares an information security professional to design and configure the most effective and efficient analytics rules.
Practice Test
True/False: In Microsoft Azure, you can build custom analytics rules to create incidents from data streamed into Azure Sentinel.
- True
- False
Answer: True
Explanation: Azure Sentinel allows users to create custom analytic rules that generate incidents from data.
Multiple Select: Which of the following panels exposes Analytics rule types available in Azure Sentinel?
- a. Scheduled
- b. Microsoft Security
- c. Fusion
- d. ML Behavior Analytics
Answer: a, b, c, d
Explanation: All of these rule types are available in Azure Sentinel and expose analytic rule types.
Single Select: What is the first step in creating an Analytics rule in Azure Sentinel?
- a. Write Rule query
- b. Set Rule properties
- c. Schedule Rule execution
- d. Configure Rule group
Answer: a. Write Rule query
Explanation: The first and foremost step in building an Analytics Rule in Azure Sentinel is to write a Kusto Query Language (KQL) query.
True/False: You can choose to logically group rules in Azure Sentinel according to Tactics.
- True
- False
Answer: True
Explanation: Yes, you can logically group rules by Tactics. This helps in organizing them and making interpretation easier.
Multiple Select: When you configure an Analytics rule in Azure Sentinel, what information must you include?
- a. Rule Name
- b. Rule Description
- c. Tactic
- d. Severity
Answer: a, b, c, d
Explanation: All of these are required information when configuring an Analytics rule in Azure Sentinel.
Single Select: An analytics rule severity in Azure Sentinel uses frequency of occurrence to measure relevance.
- a. True
- b. False
Answer: b. False
Explanation: The severity of an analytic rule is intended to convey the urgency or importance of a specific rule, not frequency of occurrence.
True/False: Once you create an Analytics rule in Azure Sentinel, you can’t modify it.
- True
- False
Answer: False
Explanation: After an Analytics rule has been created in Azure Sentinel, you can modify it anytime.
Multiple Select: Which of the following are advanced rule settings in Azure Sentinel?
- a. Suppression
- b. Query scheduling and lookback
- c. Automation
- d. Entity mapping
Answer: a, b, c, d
Explanation: All of these are advanced settings available when configuring an Analytics rule in Sentinel.
True/False: The querying and detection languages supported by Azure Sentinel is Python.
- True
- False
Answer: False
Explanation: The querying and detection language supported by Azure Sentinel is Kusto Query Language (KQL), not Python.
Single Select: What is necessary to create an Azure Sentinel Analytics rule?
- a. Prior knowledge of Kusto Query Language (KQL)
- b. A Bachelor’s degree in Computer Science
- c. An Azure Data Science Certificate
- d. A PhD in Data Analytics
Answer: a. Prior knowledge of Kusto Query Language (KQL)
Explanation: To create an Analytics rule in Azure Sentinel successfully, a working knowledge of KQL is required.
True/False: Anomaly detection is possible with Azure Sentinel’s Analytics Rules.
- True
- False
Answer: True
Explanation: Azure Sentinel allows Anomaly detection, which can be configured using Analytics Rules.
Multiple Select: What can you specify in the Rule Logic section while creating an Azure Sentinel Analytics rule?
- a. Typical false positives
- b. Threats the rule is detecting
- c. Custom details
- d. Tactics for the detection
Answer: a, b, c, d
Explanation: The Rule Logic section enables you to specify all the above-mentioned important details.
True/False: In Azure sentinel, you can create and set a scheduled alert rule without a workplace and permission.
- True
- False
Answer: False
Explanation: To create and set a scheduled alert rule, you must have the right permissions and a properly set up workspace.
Single Select: What language does Azure Sentinel use to filter and sort large volumes of data?
- a. C++
- b. Python
- c. KQL (Kusto Query Language)
- d. JavaScript
Answer: c. KQL (Kusto Query Language)
Explanation: Azure Sentinel uses KQL, a read-only language similar to SQL, optimised for fast and efficient analysis of large volumes of data.
True/False: Incident creation can be automated through Analytics rules in Azure Sentinel.
- True
- False
Answer: True
Explanation: Analytics rules allow to automate the creation of incidents based on specific conditions or criteria.
Interview Questions
What are analytics rules in Microsoft Azure Sentinal?
Analytics rules in Microsoft Azure Sentinel are logic sets that automatically run queries at specified intervals. If the queries produce results, they create incidents based on those results.
What is the purpose of configuring analytics rule in Azure Sentinel?
Configuring analytics rules in Azure Sentinel helps to conduct automated threat detection. It allows running queries across your data sources at a set interval, and if the queries produce a match, an alert is created.
How many types of rules are there in Azure Sentinel Analytics?
There are three types of rules in Azure Sentinel Analytics: Scheduled, Microsoft Security, and Fusion.
What is a scheduled rule in Azure Sentinel Analytics?
A scheduled rule runs at specific intervals defined by the user. These rules typically use Kusto query language (KQL) queries to evaluate the data in your Log Analytics workspace and generate incidents when the conditions defined in the query are met.
What is the main function of Microsoft Security rules?
Microsoft Security rules are used to create incidents based on alerts from Microsoft Security products. These rules help in integrating other Microsoft services like Microsoft Defender for Endpoint with Azure Sentinel.
What is the purpose of Fusion rules in Azure Sentinel Analytics?
Fusion rules allow Azure Sentinel to use advanced multistage attack detection. Using machine learning, these rules can correlate multiple low to medium severity alerts to detect high severity incidents.
How frequently can a Scheduled rule be set to run in Azure Sentinel?
A Scheduled rule can be set to run as frequently as every 5 minutes in Azure Sentinel.
What kind of responses can be set up when an Azure Sentinel rule matches a query?
Automated responses to Azure Sentinel rule matches can include running a playbook, sending a notification, or creating an incident for further investigation.
Can an analytics rule in Azure Sentinel be deactivated?
Yes, Analytics rules in Azure Sentinel can be deactivated if they are not needed temporarily or permanently.
Can analytics rules in Azure Sentinel be exported for use in another Azure Sentinel environment?
Yes, analytics rules can be exported as a JSON file and imported in another instance of Azure Sentinel.
What is ‘Lookback time’ in Scheduled analytics rule?
‘Lookback time’ is the time window that Azure Sentinel will look back in data from the scheduled start time of your rule.
Which licenses are required to use analytics rules in Azure Sentinel?
To use analytics rules in Azure Sentinel, you need an Azure subscription and an Azure Log Analytics workspace in your subscription.
Can you create an analytics rule without defining an action?
No, each Azure Sentinel analytics rule must have at least one defined action to perform when the conditions of the rule are met.
How can false positives be reduced in Azure Sentinel analytics rules?
False positives can be reduced by refining KQL queries, adjusting the threshold of an analytics rule, or suppressing frequent or noisy alerts.
When should you use Fusion rules?
Fusion rules should be used when dealing with complex threats that involve multiple stages or activities that would not be high severity when viewed individually.
extutorials.com