Identify any attributes, fields, or entities in your data that you want to use in your rules. You'll want to create a mapping table between data sources and data tables in Microsoft Sentinel to identify the tables you want to query. Identify the data sources you want to use in your rule. In such cases, use the following steps to start creating your rule: If neither the built-in rules nor an online rule converter is sufficient, you'll need to create the rule manually. Identify the trigger condition and rule action, and then construct and review your KQL query. If you have detections that aren't covered by Microsoft Sentinel's built-in rules, try an online query converter, such as Uncoder.io to convert your queries to KQL. In Microsoft Sentinel, go to the Configuration > Analytics > Rule templates tab, and create and update each relevant analytics rule.įor more information, see Detect threats out-of-the-box. If the built-in rules are sufficient, use built-in rule templates to create rules for your own workspace. Verify whether your detections are available as built-in templates in Microsoft Sentinel: Prepare a validation process for your migrated rules, including full test scenarios and scripts.Įnsure that your team has useful resources to test your migrated rules.Ĭonfirm that you have any required data sources connected, and review your data connection methods. Verify that you have a testing system in place for each rule you want to migrate. To migrate your analytics rules to Microsoft Sentinel: Learn more about best practices for migrating detection rules. Review the rules mapping to create new queries. If rules aren’t available or can’t be converted, they need to be created manually, using a KQL query.Consider whether an online query converter such as Uncoder.io might work for your rules.Explore community resources such as the SOC Prime Threat Detection Marketplace to check whether your rules are available.Revisit data collection conversations to ensure data depth and breadth across the use cases you plan to detect. Confirm connected data sources and review your data connection methods.Because Microsoft Sentinel uses machine learning analytics to produce high-fidelity and actionable incidents, it’s likely that some of your existing detections won’t be required anymore. Use existing functionality, and check whether Microsoft Sentinel’s built-in analytics rules might address your current use cases.Eliminate low-level threats or alerts that you routinely ignore.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |