3: Analytics Rules Flashcards
(15 cards)
What is an analytics rule in Microsoft Sentinel?
It’s a scheduled query that scans your logs for suspicious patterns and generates alerts when those patterns are detected.
Where do you configure analytics rules?
Microsoft Sentinel > [Workspace] > Analytics
What types of analytics rules exist in Sentinel?
Scheduled, Microsoft Security (automatic Defender integrations), Fusion (AI-driven correlation), and NRT (near-real-time) rules.
What is a scheduled rule?
A custom rule you define using KQL to detect specific behaviors on a regular interval.
What is a Fusion rule?
A Microsoft-built rule that uses machine learning to correlate low-fidelity signals into high-confidence multistage attack incidents.
What happens when a rule is triggered?
An alert is created, and if configured, Sentinel can group it into an incident and/or trigger a playbook.
What’s the difference between an alert and a rule?
A rule defines the logic; an alert is the result of the rule firing.
Can you customize the logic of built-in analytics rules?
Yes, most prebuilt rules can be cloned and modified to suit your environment.
Why are analytics rules important?
They automate detection so you can catch threats early and reduce reliance on manual log review.
What should I tune in a rule to reduce noise?
Look at the frequency, thresholds, KQL filters, and suppression logic.
Can I map my rules to MITRE ATT&CK?
Yes, you can tag rules with relevant MITRE tactics and techniques.
What is the value of Fusion rules?
They surface complex attack paths by connecting seemingly unrelated signals—great for detecting lateral movement or multi-stage attacks.
What’s the benefit of using Microsoft Security rules?
They automatically surface high-confidence alerts from Microsoft Defender tools without needing custom queries.
Can analytics rules trigger automation?
Yes, you can attach playbooks to alerts generated by rules.
Why should customers care about analytics rules?
They turn raw logs into real-time detection, helping reduce response time and catch threats that would otherwise go unnoticed.
