Analytics

Once you have started ingesting data, analytic rules are the next logical step. Analytic rules utilize the Kusto Query Language, or KQL, to create incidents in the Sentinel workspace. Note that not all incidents in Sentinel come from Analytic rules. For example, if you connected the Microsoft Defender XDR connector to Sentinel, all alerts created in Defender XDR will sync to Sentinel.

Generally an analytic rule is made up of some common components:

• Name
• Description
• Severity
• MITRE ATT&CK Tactics
• A KQL query
• A schedule for the frequency the query is run

More advanced analytic rules may include automation rules to make the SOC's job easier.

As you install solutions from the content hub you will often find some solutions come with analytic rules to help you get started working with the data you are ingesting.

Adding an analytic rule

You can add an analytic rule from scratch or create one utilizing a template, you will find templates on a separate tab on the analytic rule page. The steps for creating them are virtually identical. Below I list the steps for a brand new analytic rule from scratch, if you are using a template, chances are you can leave everything as the default but you will need to walk through all the same pages to create the rule.

General analytic rule

This page is very straightforward, the only thing I will note is this is what shows when an incident is created, so details here are important. You can also customize these items dependent on the data and query in the alert. For example, your KQL query can match on suspicious activity then do perhaps an iif() function to determine this match is more severe than a typical match. That level of customization is on the Set rule logic page.

Severity and MITRE ATT&CK options

• Severity
  • Informational
  • Low
  • Medium
  • High

I have listed MITRE ATT&CK options here for reference.

• Reconnaissance
  • T1589 - Gather Victim Identity Information
    • T1589.001 - Credentials
    • T1589.002 - Email Addresses
    • T1589.003 - Employee Names
  • T1590 - Gather Victim Network Information
    • T1590.001 - Domain Properties
    • T1590.002 - DNS
    • T1590.003 - Network Trust Dependencies
    • T1590.004 - Network Topology
    • T1590.005 - IP Addresses
    • T1590.006 - Network Security Appliances
  • T1591 - Gather Victim Org Information
    • T1591.001 - Determine Physical Locations
    • T1591.002 - Business Relationships
    • T1591.003 - Identify Business Tempo
    • T1591.004 - Identify Roles
  • T1592 - Gather Victim Host Information
    • T1592.001 - Hardware
    • T1592.002 - Software
    • T1592.003 - Firmware
    • T1592.004 - Client Configurations
  • T1593 - Search Open Websites/Domains
    • T1593.001 - Social Media
    • T1593.002 - Search Engines
    • T1593.003 - Code Repositories
  • T1594 - Search Victim-Owned Websites
  • T1595 - Active Scanning
    • T1595.001 - Scanning IP Blocks
    • T1595.002 - Vulnerability Scanning
    • T1595.003 - Wordlist Scanning
  • T1596 - Search Open Technical Databases
    • T1596.001 - DNS/Passive DNS
    • T1596.002 - WHOIS
    • T1596.003 - Digital Certificates
    • T1596.004 - CDNs
    • T1596.005 - Scan Databases
  • T1597 - Search Closed Sources
    • T1597.001 - Threat Intel Vendors
    • T1597.002 - Purchase Technical Data
  • T1598 - Phishing for Information
    • T1598.001 - Spearphishing Service
    • T1598.002 - Spearphishing Attachment
    • T1598.003 - Spearphishing Link
    • T1598.004 - Spearphishing Voice
• Resource Development
  • T1583 - Acquire Infrastructure
    • T1583.001 - Domains
    • T1583.002 - DNS Server
    • T1583.003 - Virtual Private Server
    • T1583.004 - Server
    • T1583.005 - Botnet
    • T1583.006 - Web Services
    • T1583.007 - Serverless
    • T1583.008 - Malvertising
  • T1584 - Compromise Infrastructure
    • T1584.001 - Domains
    • T1584.002 - DNS Server
    • T1584.003 - Virtual Private Server
    • T1584.004 - Server
    • T1584.005 - Botnet
    • T1584.006 - Web Services
    • T1584.007 - Serverless
    • T1584.008 - Network Devices
  • T1585 - Establish Accounts
    • T1585.001 - Social Media Accounts
    • T1585.002 - Email Accounts
    • T1585.003 - Cloud Accounts
  • T1586 - Compromise Accounts
    • T1586.001 - Social Media Accounts
    • T1586.002 - Email Accounts
    • T1586.003 - Cloud Accounts
  • T1587 - Develop Capabilities
    • T1587.001 - Malware
    • T1587.002 - Code Signing Certificates
    • T1587.003 - Digital Certificates
    • T1587.004 - Exploits
  • T1588 - Obtain Capabilities
    • T1588.001 - Malware
    • T1588.002 - Tool
    • T1588.003 - Code Signing Certificates
    • T1588.004 - Digital Certificates
    • T1588.005 - Exploits
    • T1588.006 - Vulnerabilities
    • T1588.007 - Artificial Intelligence
  • T1608 - Stage Capabilities
    • T1608.001 - Upload Malware
    • T1608.002 - Upload Tool
    • T1608.003 - Install Digital Certificate
    • T1608.004 - Drive-by Target
    • T1608.005 - Link Target
    • T1608.006 - SEO Poisoning
  • T1650 - Acquire Access
• Initial Access
  • T1078 - Valid Accounts
    • T1078.001 - Default Accounts
    • T1078.002 - Domain Accounts
    • T1078.003 - Local Accounts
    • T1078.004 - Cloud Accounts
  • T1091 - Replication Through Removable Media
  • T1133 - External Remote Services
  • T1189 - Drive-by Compromise
  • T1190 - Exploit Public-Facing Application
  • T1195 - Supply Chain Compromise
    • T1195.001 - Compromise Software Dependencies and Development Tools
    • T1195.002 - Compromise Software Supply Chain
    • T1195.003 - Compromise Hardware Supply Chain
  • T1199 - Trusted Relationship
  • T1200 - Hardware Additions
  • T1566 - Phishing
    • T1566.001 - Spearphishing Attachment
    • T1566.002 - Spearphishing Link
    • T1566.003 - Spearphishing via Service
    • T1566.004 - Spearphishing Voice
  • T1659 - Content Injection
• Execution
  • T1047 - Windows Management Instrumentation
  • T1053 - Scheduled Task/Job
    • T1053.002 - At
    • T1053.003 - Cron
    • T1053.005 - Scheduled Task
    • T1053.006 - Systemd Timers
    • T1053.007 - Container Orchestration Job
  • T1059 - Command and Scripting Interpreter
    • T1059.001 - PowerShell
    • T1059.002 - AppleScript
    • T1059.003 - Windows Command Shell
    • T1059.004 - Unix Shell
    • T1059.005 - Visual Basic
    • T1059.006 - Python
    • T1059.007 - JavaScript
    • T1059.008 - Network Device CLI
    • T1059.009 - Cloud API
    • T1059.010 - AutoHotKey & AutoIT
    • T1059.011 - Lua
  • T1072 - Software Deployment Tools
  • T1106 - Native API
  • T1129 - Shared Modules
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
    • T1204.001 - Malicious Link
    • T1204.002 - Malicious File
    • T1204.003 - Malicious Image
  • T1559 - Inter-Process Communication
    • T1559.001 - Component Object Model
    • T1559.002 - Dynamic Data Exchange
    • T1559.003 - XPC Services
  • T1569 - System Services
    • T1569.001 - Launchctl
    • T1569.002 - Service Execution
  • T1609 - Container Administration Command
  • T1610 - Deploy Container
  • T1648 - Serverless Execution
  • T1651 - Cloud Administration Command
• Persistence
  • T1037 - Boot or Logon Initialization Scripts
    • T1037.001 - Logon Script (Windows)
    • T1037.002 - Login Hook
    • T1037.003 - Network Logon Script
    • T1037.004 - RC Scripts
    • T1037.005 - Startup Items
  • T1053 - Scheduled Task/Job
    • T1053.002 - At
    • T1053.003 - Cron
    • T1053.005 - Scheduled Task
    • T1053.006 - Systemd Timers
    • T1053.007 - Container Orchestration Job
  • T1078 - Valid Accounts
    • T1078.001 - Default Accounts
    • T1078.002 - Domain Accounts
    • T1078.003 - Local Accounts
    • T1078.004 - Cloud Accounts
  • T1098 - Account Manipulation
    • T1098.001 - Additional Cloud Credentials
    • T1098.002 - Additional Email Delegate Permissions
    • T1098.003 - Additional Cloud Roles
    • T1098.004 - SSH Authorized Keys
    • T1098.005 - Device Registration
    • T1098.006 - Additional Container Cluster Roles
    • T1098.007 - Additional Local or Domain Groups
  • T1133 - External Remote Services
  • T1136 - Create Account
    • T1136.001 - Local Account
    • T1136.002 - Domain Account
    • T1136.003 - Cloud Account
  • T1137 - Office Application Startup
    • T1137.001 - Office Template Macros
    • T1137.002 - Office Test
    • T1137.003 - Outlook Forms
    • T1137.004 - Outlook Home Page
    • T1137.005 - Outlook Rules
    • T1137.006 - Add-ins
  • T1176 - Browser Extensions
  • T1197 - BITS Jobs
  • T1205 - Traffic Signaling
    • T1205.001 - Port Knocking
    • T1205.002 - Socket Filters
  • T1505 - Server Software Component
    • T1505.001 - SQL Stored Procedures
    • T1505.002 - Transport Agent
    • T1505.003 - Web Shell
    • T1505.004 - IIS Components
    • T1505.005 - Terminal Services DLL
  • T1525 - Implant Internal Image
  • T1542 - Pre-OS Boot
    • T1542.001 - System Firmware
    • T1542.002 - Component Firmware
    • T1542.003 - Bootkit
    • T1542.004 - ROMMONkit
    • T1542.005 - TFTP Boot
  • T1543 - Create or Modify System Process
    • T1543.001 - Launch Agent
    • T1543.002 - Systemd Service
    • T1543.003 - Windows Service
    • T1543.004 - Launch Daemon
    • T1543.005 - Container Service
  • T1546 - Event Triggered Execution
    • T1546.001 - Change Default File Association
    • T1546.002 - Screensaver
    • T1546.003 - Windows Management Instrumentation Event Subscription
    • T1546.004 - Unix Shell Configuration Modification
    • T1546.005 - Trap
    • T1546.006 - LC_LOAD_DYLIB Addition
    • T1546.007 - Netsh Helper DLL
    • T1546.008 - Accessibility Features
    • T1546.009 - AppCert DLLs
    • T1546.010 - AppInit DLLs
    • T1546.011 - Application Shimming
    • T1546.012 - Image File Execution Options Injection
    • T1546.013 - PowerShell Profile
    • T1546.014 - Emond
    • T1546.015 - Component Object Model Hijacking
    • T1546.016 - Installer Packages
    • T1546.017 - Udev Rules
  • T1547 - Boot or Logon Autostart Execution
    • T1547.001 - Registry Run Keys / Startup Folder
    • T1547.002 - Authentication Package
    • T1547.003 - Time Providers
    • T1547.004 - Winlogon Helper DLL
    • T1547.005 - Security Support Provider
    • T1547.006 - Kernel Modules and Extensions
    • T1547.007 - Re-opened Applications
    • T1547.008 - LSASS Driver
    • T1547.009 - Shortcut Modification
    • T1547.010 - Port Monitors
    • T1547.012 - Print Processors
    • T1547.013 - XDG Autostart Entries
    • T1547.014 - Active Setup
    • T1547.015 - Login Items
  • T1554 - Compromise Host Software Binary
  • T1556 - Modify Authentication Process
    • T1556.001 - Domain Controller Authentication
    • T1556.002 - Password Filter DLL
    • T1556.003 - Pluggable Authentication Modules
    • T1556.004 - Network Device Authentication
    • T1556.005 - Reversible Encryption
    • T1556.006 - Multi-Factor Authentication
    • T1556.007 - Hybrid Identity
    • T1556.008 - Network Provider DLL
    • T1556.009 - Conditional Access Policies
  • T1574 - Hijack Execution Flow
    • T1574.001 - DLL Search Order Hijacking
    • T1574.002 - DLL Side-Loading
    • T1574.004 - Dylib Hijacking
    • T1574.005 - Executable Installer File Permissions Weakness
    • T1574.006 - Dynamic Linker Hijacking
    • T1574.007 - Path Interception by PATH Environment Variable
    • T1574.008 - Path Interception by Search Order Hijacking
    • T1574.009 - Path Interception by Unquoted Path
    • T1574.010 - Services File Permissions Weakness
    • T1574.011 - Services Registry Permissions Weakness
    • T1574.012 - COR_PROFILER
    • T1574.013 - KernelCallbackTable
    • T1574.014 - AppDomainManager
  • T1653 - Power Settings
• Privilege Escalation
  • T1037 - Boot or Logon Initialization Scripts
    • T1037.001 - Logon Script (Windows)
    • T1037.002 - Login Hook
    • T1037.003 - Network Logon Script
    • T1037.004 - RC Scripts
    • T1037.005 - Startup Items
  • T1053 - Scheduled Task/Job
    • T1053.002 - At
    • T1053.003 - Cron
    • T1053.005 - Scheduled Task
    • T1053.006 - Systemd Timers
    • T1053.007 - Container Orchestration Job
  • T1055 - Process Injection
    • T1055.001 - Dynamic-link Library Injection
    • T1055.002 - Portable Executable Injection
    • T1055.003 - Thread Execution Hijacking
    • T1055.004 - Asynchronous Procedure Call
    • T1055.005 - Thread Local Storage
    • T1055.008 - Ptrace System Calls
    • T1055.009 - Proc Memory
    • T1055.011 - Extra Window Memory Injection
    • T1055.012 - Process Hollowing
    • T1055.013 - Process Doppelgänging
    • T1055.014 - VDSO Hijacking
    • T1055.015 - ListPlanting
  • T1068 - Exploitation for Privilege Escalation
  • T1078 - Valid Accounts
    • T1078.001 - Default Accounts
    • T1078.002 - Domain Accounts
    • T1078.003 - Local Accounts
    • T1078.004 - Cloud Accounts
  • T1098 - Account Manipulation
    • T1098.001 - Additional Cloud Credentials
    • T1098.002 - Additional Email Delegate Permissions
    • T1098.003 - Additional Cloud Roles
    • T1098.004 - SSH Authorized Keys
    • T1098.005 - Device Registration
    • T1098.006 - Additional Container Cluster Roles
    • T1098.007 - Additional Local or Domain Groups
  • T1134 - Access Token Manipulation
    • T1134.001 - Token Impersonation/Theft
    • T1134.002 - Create Process with Token
    • T1134.003 - Make and Impersonate Token
    • T1134.004 - Parent PID Spoofing
    • T1134.005 - SID-History Injection
  • T1484 - Domain or Tenant Policy Modification
    • T1484.001 - Group Policy Modification
    • T1484.002 - Trust Modification
  • T1543 - Create or Modify System Process
    • T1543.001 - Launch Agent
    • T1543.002 - Systemd Service
    • T1543.003 - Windows Service
    • T1543.004 - Launch Daemon
    • T1543.005 - Container Service
  • T1546 - Event Triggered Execution
    • T1546.001 - Change Default File Association
    • T1546.002 - Screensaver
    • T1546.003 - Windows Management Instrumentation Event Subscription
    • T1546.004 - Unix Shell Configuration Modification
    • T1546.005 - Trap
    • T1546.006 - LC_LOAD_DYLIB Addition
    • T1546.007 - Netsh Helper DLL
    • T1546.008 - Accessibility Features
    • T1546.009 - AppCert DLLs
    • T1546.010 - AppInit DLLs
    • T1546.011 - Application Shimming
    • T1546.012 - Image File Execution Options Injection
    • T1546.013 - PowerShell Profile
    • T1546.014 - Emond
    • T1546.015 - Component Object Model Hijacking
    • T1546.016 - Installer Packages
    • T1546.017 - Udev Rules
  • T1547 - Boot or Logon Autostart Execution
    • T1547.001 - Registry Run Keys / Startup Folder
    • T1547.002 - Authentication Package
    • T1547.003 - Time Providers
    • T1547.004 - Winlogon Helper DLL
    • T1547.005 - Security Support Provider
    • T1547.006 - Kernel Modules and Extensions
    • T1547.007 - Re-opened Applications
    • T1547.008 - LSASS Driver
    • T1547.009 - Shortcut Modification
    • T1547.010 - Port Monitors
    • T1547.012 - Print Processors
    • T1547.013 - XDG Autostart Entries
    • T1547.014 - Active Setup
    • T1547.015 - Login Items
  • T1548 - Abuse Elevation Control Mechanism
    • T1548.001 - Setuid and Setgid
    • T1548.002 - Bypass User Account Control
    • T1548.003 - Sudo and Sudo Caching
    • T1548.004 - Elevated Execution with Prompt
    • T1548.005 - Temporary Elevated Cloud Access
    • T1548.006 - TCC Manipulation
  • T1574 - Hijack Execution Flow
    • T1574.001 - DLL Search Order Hijacking
    • T1574.002 - DLL Side-Loading
    • T1574.004 - Dylib Hijacking
    • T1574.005 - Executable Installer File Permissions Weakness
    • T1574.006 - Dynamic Linker Hijacking
    • T1574.007 - Path Interception by PATH Environment Variable
    • T1574.008 - Path Interception by Search Order Hijacking
    • T1574.009 - Path Interception by Unquoted Path
    • T1574.010 - Services File Permissions Weakness
    • T1574.011 - Services Registry Permissions Weakness
    • T1574.012 - COR_PROFILER
    • T1574.013 - KernelCallbackTable
    • T1574.014 - AppDomainManager
  • T1611 - Escape to Host
• Defense Evasion
  • T1006 - Direct Volume Access
  • T1014 - Rootkit
  • T1027 - Obfuscated Files or Information
    • T1027.001 - Binary Padding
    • T1027.002 - Software Packing
    • T1027.003 - Steganography
    • T1027.004 - Compile After Delivery
    • T1027.005 - Indicator Removal from Tools
    • T1027.006 - HTML Smuggling
    • T1027.007 - Dynamic API Resolution
    • T1027.008 - Stripped Payloads
    • T1027.009 - Embedded Payloads
    • T1027.010 - Command Obfuscation
    • T1027.011 - Fileless Storage
    • T1027.012 - LNK Icon Smuggling
    • T1027.013 - Encrypted/Encoded File
    • T1027.014 - Polymorphic Code
  • T1036 - Masquerading
    • T1036.001 - Invalid Code Signature
    • T1036.002 - Right-to-Left Override
    • T1036.003 - Rename System Utilities
    • T1036.004 - Masquerade Task or Service
    • T1036.005 - Match Legitimate Name or Location
    • T1036.006 - Space after Filename
    • T1036.007 - Double File Extension
    • T1036.008 - Masquerade File Type
    • T1036.009 - Break Process Trees
    • T1036.010 - Masquerade Account Name
  • T1055 - Process Injection
    • T1055.001 - Dynamic-link Library Injection
    • T1055.002 - Portable Executable Injection
    • T1055.003 - Thread Execution Hijacking
    • T1055.004 - Asynchronous Procedure Call
    • T1055.005 - Thread Local Storage
    • T1055.008 - Ptrace System Calls
    • T1055.009 - Proc Memory
    • T1055.011 - Extra Window Memory Injection
    • T1055.012 - Process Hollowing
    • T1055.013 - Process Doppelgänging
    • T1055.014 - VDSO Hijacking
    • T1055.015 - ListPlanting
  • T1070 - Indicator Removal
    • T1070.001 - Clear Windows Event Logs
    • T1070.002 - Clear Linux or Mac System Logs
    • T1070.003 - Clear Command History
    • T1070.004 - File Deletion
    • T1070.005 - Network Share Connection Removal
    • T1070.006 - Timestomp
    • T1070.007 - Clear Network Connection History and Configurations
    • T1070.008 - Clear Mailbox Data
    • T1070.009 - Clear Persistence
    • T1070.010 - Relocate Malware
  • T1078 - Valid Accounts
    • T1078.001 - Default Accounts
    • T1078.002 - Domain Accounts
    • T1078.003 - Local Accounts
    • T1078.004 - Cloud Accounts
  • T1112 - Modify Registry
  • T1127 - Trusted Developer Utilities Proxy Execution
    • T1127.001 - MSBuild
    • T1127.002 - ClickOnce
  • T1134 - Access Token Manipulation
    • T1134.001 - Token Impersonation/Theft
    • T1134.002 - Create Process with Token
    • T1134.003 - Make and Impersonate Token
    • T1134.004 - Parent PID Spoofing
    • T1134.005 - SID-History Injection
  • T1140 - Deobfuscate/Decode Files or Information
  • T1197 - BITS Jobs
  • T1202 - Indirect Command Execution
  • T1205 - Traffic Signaling
    • T1205.001 - Port Knocking
    • T1205.002 - Socket Filters
  • T1207 - Rogue Domain Controller
  • T1211 - Exploitation for Defense Evasion
  • T1216 - System Script Proxy Execution
    • T1216.001 - PubPrn
    • T1216.002 - SyncAppvPublishingServer
  • T1218 - System Binary Proxy Execution
    • T1218.001 - Compiled HTML File
    • T1218.002 - Control Panel
    • T1218.003 - CMSTP
    • T1218.004 - InstallUtil
    • T1218.005 - Mshta
    • T1218.007 - Msiexec
    • T1218.008 - Odbcconf
    • T1218.009 - Regsvcs/Regasm
    • T1218.010 - Regsvr32
    • T1218.011 - Rundll32
    • T1218.012 - Verclsid
    • T1218.013 - Mavinject
    • T1218.014 - MMC
    • T1218.015 - Electron Applications
  • T1220 - XSL Script Processing
  • T1221 - Template Injection
  • T1222 - File and Directory Permissions Modification
    • T1222.001 - Windows File and Directory Permissions Modification
    • T1222.002 - Linux and Mac File and Directory Permissions Modification
  • T1480 - Execution Guardrails
    • T1480.001 - Environmental Keying
    • T1480.002 - Mutual Exclusion
  • T1484 - Domain or Tenant Policy Modification
    • T1484.001 - Group Policy Modification
    • T1484.002 - Trust Modification
  • T1497 - Virtualization/Sandbox Evasion
    • T1497.001 - System Checks
    • T1497.002 - User Activity Based Checks
    • T1497.003 - Time Based Evasion
  • T1535 - Unused/Unsupported Cloud Regions
  • T1542 - Pre-OS Boot
    • T1542.001 - System Firmware
    • T1542.002 - Component Firmware
    • T1542.003 - Bootkit
    • T1542.004 - ROMMONkit
    • T1542.005 - TFTP Boot
  • T1548 - Abuse Elevation Control Mechanism
    • T1548.001 - Setuid and Setgid
    • T1548.002 - Bypass User Account Control
    • T1548.003 - Sudo and Sudo Caching
    • T1548.004 - Elevated Execution with Prompt
    • T1548.005 - Temporary Elevated Cloud Access
    • T1548.006 - TCC Manipulation
  • T1550 - Use Alternate Authentication Material
    • T1550.001 - Application Access Token
    • T1550.002 - Pass the Hash
    • T1550.003 - Pass the Ticket
    • T1550.004 - Web Session Cookie
  • T1553 - Subvert Trust Controls
    • T1553.001 - Gatekeeper Bypass
    • T1553.002 - Code Signing
    • T1553.003 - SIP and Trust Provider Hijacking
    • T1553.004 - Install Root Certificate
    • T1553.005 - Mark-of-the-Web Bypass
    • T1553.006 - Code Signing Policy Modification
  • T1556 - Modify Authentication Process
    • T1556.001 - Domain Controller Authentication
    • T1556.002 - Password Filter DLL
    • T1556.003 - Pluggable Authentication Modules
    • T1556.004 - Network Device Authentication
    • T1556.005 - Reversible Encryption
    • T1556.006 - Multi-Factor Authentication
    • T1556.007 - Hybrid Identity
    • T1556.008 - Network Provider DLL
    • T1556.009 - Conditional Access Policies
  • T1562 - Impair Defenses
    • T1562.001 - Disable or Modify Tools
    • T1562.002 - Disable Windows Event Logging
    • T1562.003 - Impair Command History Logging
    • T1562.004 - Disable or Modify System Firewall
    • T1562.006 - Indicator Blocking
    • T1562.007 - Disable or Modify Cloud Firewall
    • T1562.008 - Disable or Modify Cloud Logs
    • T1562.009 - Safe Mode Boot
    • T1562.010 - Downgrade Attack
    • T1562.011 - Spoof Security Alerting
    • T1562.012 - Disable or Modify Linux Audit System
  • T1564 - Hide Artifacts
    • T1564.001 - Hidden Files and Directories
    • T1564.002 - Hidden Users
    • T1564.003 - Hidden Window
    • T1564.004 - NTFS File Attributes
    • T1564.005 - Hidden File System
    • T1564.006 - Run Virtual Instance
    • T1564.007 - VBA Stomping
    • T1564.008 - Email Hiding Rules
    • T1564.009 - Resource Forking
    • T1564.010 - Process Argument Spoofing
    • T1564.011 - Ignore Process Interrupts
    • T1564.012 - File/Path Exclusions
  • T1574 - Hijack Execution Flow
    • T1574.001 - DLL Search Order Hijacking
    • T1574.002 - DLL Side-Loading
    • T1574.004 - Dylib Hijacking
    • T1574.005 - Executable Installer File Permissions Weakness
    • T1574.006 - Dynamic Linker Hijacking
    • T1574.007 - Path Interception by PATH Environment Variable
    • T1574.008 - Path Interception by Search Order Hijacking
    • T1574.009 - Path Interception by Unquoted Path
    • T1574.010 - Services File Permissions Weakness
    • T1574.011 - Services Registry Permissions Weakness
    • T1574.012 - COR_PROFILER
    • T1574.013 - KernelCallbackTable
    • T1574.014 - AppDomainManager
  • T1578 - Modify Cloud Compute Infrastructure
    • T1578.001 - Create Snapshot
    • T1578.002 - Create Cloud Instance
    • T1578.003 - Delete Cloud Instance
    • T1578.004 - Revert Cloud Instance
    • T1578.005 - Modify Cloud Compute Configurations
  • T1599 - Network Boundary Bridging
    • T1599.001 - Network Address Translation Traversal
  • T1600 - Weaken Encryption
    • T1600.001 - Reduce Key Space
    • T1600.002 - Disable Crypto Hardware
  • T1601 - Modify System Image
    • T1601.001 - Patch System Image
    • T1601.002 - Downgrade System Image
  • T1610 - Deploy Container
  • T1612 - Build Image on Host
  • T1620 - Reflective Code Loading
  • T1622 - Debugger Evasion
  • T1647 - Plist File Modification
  • T1656 - Impersonation
  • T1666 - Modify Cloud Resource Hierarchy
• Credential Access
  • T1003 - OS Credential Dumping
    • T1003.001 - LSASS Memory
    • T1003.002 - Security Account Manager
    • T1003.003 - NTDS
    • T1003.004 - LSA Secrets
    • T1003.005 - Cached Domain Credentials
    • T1003.006 - DCSync
    • T1003.007 - Proc Filesystem
    • T1003.008 - /etc/passwd and /etc/shadow
  • T1040 - Network Sniffing
  • T1056 - Input Capture
    • T1056.001 - Keylogging
    • T1056.002 - GUI Input Capture
    • T1056.003 - Web Portal Capture
    • T1056.004 - Credential API Hooking
  • T1110 - Brute Force
    • T1110.001 - Password Guessing
    • T1110.002 - Password Cracking
    • T1110.003 - Password Spraying
    • T1110.004 - Credential Stuffing
  • T1111 - Multi-Factor Authentication Interception
  • T1187 - Forced Authentication
  • T1212 - Exploitation for Credential Access
  • T1528 - Steal Application Access Token
  • T1539 - Steal Web Session Cookie
  • T1552 - Unsecured Credentials
    • T1552.001 - Credentials In Files
    • T1552.002 - Credentials in Registry
    • T1552.003 - Bash History
    • T1552.004 - Private Keys
    • T1552.005 - Cloud Instance Metadata API
    • T1552.006 - Group Policy Preferences
    • T1552.007 - Container API
    • T1552.008 - Chat Messages
  • T1555 - Credentials from Password Stores
    • T1555.001 - Keychain
    • T1555.002 - Securityd Memory
    • T1555.003 - Credentials from Web Browsers
    • T1555.004 - Windows Credential Manager
    • T1555.005 - Password Managers
    • T1555.006 - Cloud Secrets Management Stores
  • T1556 - Modify Authentication Process
    • T1556.001 - Domain Controller Authentication
    • T1556.002 - Password Filter DLL
    • T1556.003 - Pluggable Authentication Modules
    • T1556.004 - Network Device Authentication
    • T1556.005 - Reversible Encryption
    • T1556.006 - Multi-Factor Authentication
    • T1556.007 - Hybrid Identity
    • T1556.008 - Network Provider DLL
    • T1556.009 - Conditional Access Policies
  • T1557 - Adversary-in-the-Middle
    • T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
    • T1557.002 - ARP Cache Poisoning
    • T1557.003 - DHCP Spoofing
    • T1557.004 - Evil Twin
  • T1558 - Steal or Forge Kerberos Tickets
    • T1558.001 - Golden Ticket
    • T1558.002 - Silver Ticket
    • T1558.003 - Kerberoasting
    • T1558.004 - AS-REP Roasting
    • T1558.005 - Ccache Files
  • T1606 - Forge Web Credentials
    • T1606.001 - Web Cookies
    • T1606.002 - SAML Tokens
  • T1621 - Multi-Factor Authentication Request Generation
  • T1649 - Steal or Forge Authentication Certificates
• Discovery
  • T1007 - System Service Discovery
  • T1010 - Application Window Discovery
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
    • T1016.001 - Internet Connection Discovery
    • T1016.002 - Wi-Fi Discovery
  • T1018 - Remote System Discovery
  • T1033 - System Owner/User Discovery
  • T1040 - Network Sniffing
  • T1046 - Network Service Discovery
  • T1049 - System Network Connections Discovery
  • T1057 - Process Discovery
  • T1069 - Permission Groups Discovery
    • T1069.001 - Local Groups
    • T1069.002 - Domain Groups
    • T1069.003 - Cloud Groups
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1087 - Account Discovery
    • T1087.001 - Local Account
    • T1087.002 - Domain Account
    • T1087.003 - Email Account
    • T1087.004 - Cloud Account
  • T1120 - Peripheral Device Discovery
  • T1124 - System Time Discovery
  • T1135 - Network Share Discovery
  • T1201 - Password Policy Discovery
  • T1217 - Browser Information Discovery
  • T1482 - Domain Trust Discovery
  • T1497 - Virtualization/Sandbox Evasion
    • T1497.001 - System Checks
    • T1497.002 - User Activity Based Checks
    • T1497.003 - Time Based Evasion
  • T1518 - Software Discovery
    • T1518.001 - Security Software Discovery
  • T1526 - Cloud Service Discovery
  • T1538 - Cloud Service Dashboard
  • T1580 - Cloud Infrastructure Discovery
  • T1613 - Container and Resource Discovery
  • T1614 - System Location Discovery
    • T1614.001 - System Language Discovery
  • T1615 - Group Policy Discovery
  • T1619 - Cloud Storage Object Discovery
  • T1622 - Debugger Evasion
  • T1652 - Device Driver Discovery
  • T1654 - Log Enumeration
• Lateral Movement
  • T1021 - Remote Services
    • T1021.001 - Remote Desktop Protocol
    • T1021.002 - SMB/Windows Admin Shares
    • T1021.003 - Distributed Component Object Model
    • T1021.004 - SSH
    • T1021.005 - VNC
    • T1021.006 - Windows Remote Management
    • T1021.007 - Cloud Services
    • T1021.008 - Direct Cloud VM Connections
  • T1072 - Software Deployment Tools
  • T1080 - Taint Shared Content
  • T1091 - Replication Through Removable Media
  • T1210 - Exploitation of Remote Services
  • T1534 - Internal Spearphishing
  • T1550 - Use Alternate Authentication Material
    • T1550.001 - Application Access Token
    • T1550.002 - Pass the Hash
    • T1550.003 - Pass the Ticket
    • T1550.004 - Web Session Cookie
  • T1563 - Remote Service Session Hijacking
    • T1563.001 - SSH Hijacking
    • T1563.002 - RDP Hijacking
  • T1570 - Lateral Tool Transfer
• Collection
  • T1005 - Data from Local System
  • T1025 - Data from Removable Media
  • T1039 - Data from Network Shared Drive
  • T1056 - Input Capture
    • T1056.001 - Keylogging
    • T1056.002 - GUI Input Capture
    • T1056.003 - Web Portal Capture
    • T1056.004 - Credential API Hooking
  • T1074 - Data Staged
    • T1074.001 - Local Data Staging
    • T1074.002 - Remote Data Staging
  • T1113 - Screen Capture
  • T1114 - Email Collection
    • T1114.001 - Local Email Collection
    • T1114.002 - Remote Email Collection
    • T1114.003 - Email Forwarding Rule
  • T1115 - Clipboard Data
  • T1119 - Automated Collection
  • T1123 - Audio Capture
  • T1125 - Video Capture
  • T1185 - Browser Session Hijacking
  • T1213 - Data from Information Repositories
    • T1213.001 - Confluence
    • T1213.002 - Sharepoint
    • T1213.003 - Code Repositories
    • T1213.004 - Customer Relationship Management Software
    • T1213.005 - Messaging Applications
  • T1530 - Data from Cloud Storage
  • T1557 - Adversary-in-the-Middle
    • T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
    • T1557.002 - ARP Cache Poisoning
    • T1557.003 - DHCP Spoofing
    • T1557.004 - Evil Twin
  • T1560 - Archive Collected Data
    • T1560.001 - Archive via Utility
    • T1560.002 - Archive via Library
    • T1560.003 - Archive via Custom Method
  • T1602 - Data from Configuration Repository
    • T1602.001 - SNMP (MIB Dump)
    • T1602.002 - Network Device Configuration Dump
• Command and Control
  • T1001 - Data Obfuscation
    • T1001.001 - Junk Data
    • T1001.002 - Steganography
    • T1001.003 - Protocol or Service Impersonation
  • T1008 - Fallback Channels
  • T1071 - Application Layer Protocol
    • T1071.001 - Web Protocols
    • T1071.002 - File Transfer Protocols
    • T1071.003 - Mail Protocols
    • T1071.004 - DNS
    • T1071.005 - Publish/Subscribe Protocols
  • T1090 - Proxy
    • T1090.001 - Internal Proxy
    • T1090.002 - External Proxy
    • T1090.003 - Multi-hop Proxy
    • T1090.004 - Domain Fronting
  • T1092 - Communication Through Removable Media
  • T1095 - Non-Application Layer Protocol
  • T1102 - Web Service
    • T1102.001 - Dead Drop Resolver
    • T1102.002 - Bidirectional Communication
    • T1102.003 - One-Way Communication
  • T1104 - Multi-Stage Channels
  • T1105 - Ingress Tool Transfer
  • T1132 - Data Encoding
    • T1132.001 - Standard Encoding
    • T1132.002 - Non-Standard Encoding
  • T1205 - Traffic Signaling
    • T1205.001 - Port Knocking
    • T1205.002 - Socket Filters
  • T1219 - Remote Access Software
  • T1568 - Dynamic Resolution
    • T1568.001 - Fast Flux DNS
    • T1568.002 - Domain Generation Algorithms
    • T1568.003 - DNS Calculation
  • T1571 - Non-Standard Port
  • T1572 - Protocol Tunneling
  • T1573 - Encrypted Channel
    • T1573.001 - Symmetric Cryptography
    • T1573.002 - Asymmetric Cryptography
  • T1659 - Content Injection
  • T1665 - Hide Infrastructure
• Exfiltration
  • T1011 - Exfiltration Over Other Network Medium
    • T1011.001 - Exfiltration Over Bluetooth
  • T1020 - Automated Exfiltration
    • T1020.001 - Traffic Duplication
  • T1029 - Scheduled Transfer
  • T1030 - Data Transfer Size Limits
  • T1041 - Exfiltration Over C2 Channel
  • T1048 - Exfiltration Over Alternative Protocol
    • T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol
    • T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
    • T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
  • T1052 - Exfiltration Over Physical Medium
    • T1052.001 - Exfiltration over USB
  • T1537 - Transfer Data to Cloud Account
  • T1567 - Exfiltration Over Web Service
    • T1567.001 - Exfiltration to Code Repository
    • T1567.002 - Exfiltration to Cloud Storage
    • T1567.003 - Exfiltration to Text Storage Sites
    • T1567.004 - Exfiltration Over Webhook
• Impact
  • T1485 - Data Destruction
    • T1485.001 - Lifecycle-Triggered Deletion
  • T1486 - Data Encrypted for Impact
  • T1489 - Service Stop
  • T1490 - Inhibit System Recovery
  • T1491 - Defacement
    • T1491.001 - Internal Defacement
    • T1491.002 - External Defacement
  • T1495 - Firmware Corruption
  • T1496 - Resource Hijacking
    • T1496.001 - Compute Hijacking
    • T1496.002 - Bandwidth Hijacking
    • T1496.003 - SMS Pumping
    • T1496.004 - Cloud Service Hijacking
  • T1498 - Network Denial of Service
    • T1498.001 - Direct Network Flood
    • T1498.002 - Reflection Amplification
  • T1499 - Endpoint Denial of Service
    • T1499.001 - OS Exhaustion Flood
    • T1499.002 - Service Exhaustion Flood
    • T1499.003 - Application Exhaustion Flood
    • T1499.004 - Application or System Exploitation
  • T1529 - System Shutdown/Reboot
  • T1531 - Account Access Removal
  • T1561 - Disk Wipe
    • T1561.001 - Disk Content Wipe
    • T1561.002 - Disk Structure Wipe
  • T1565 - Data Manipulation
    • T1565.001 - Stored Data Manipulation
    • T1565.002 - Transmitted Data Manipulation
    • T1565.003 - Runtime Data Manipulation
  • T1657 - Financial Theft

Set rule logic

This page is really the heart of an analytic rule and will require the bulk of your time, taking care to get this right can really enhance your alerts information and ease investigations later.

Rule query

You will start by putting a query into the query editor, it's always a good idea to test the query to see if it returns any results. Note that if you are in the query editor and you make an adjustment to the query you need to rerun the query. This is to ensure the syntax of your KQL query is valid.

Alert enhancement

Your query simply gathers data, Sentinel does not know anything about the data it is receiving so we need to map a few things to our rule, you can do this under the Alert enhancement section.

Entity mapping

First you will want to map information from your query to a Sentinel Entity mapping. You will select an entity type, then select an identifier, this should be something very unique to identify the entity, each entity type has requirements for specific identifiers, you will see an error if you are not meeting those requirements. The entity property goes on the left and the query column goes on the right.

Entity types

• Sentinel Entities
• Account
• Host
• IP
• URL
• Azure Resource
• Cloud Application
• DNS Resolution
• File
• FileHash
• Malware
• Process
• Registry Key
• Security Group
• Mailbox
• Mail Cluster
• Mail Message
• Submission Mail

Custom details

Next you can give Custom details to your alert which is essentially a field on our alert. This is great for adding some information that isn't an entity to our alert.

Alert details

The last alert enhancement is Alert details. On the General page you set static values for name, description, severity and MITRE ATT&CK tactics. Not every alert for an analytic rule is necessarily the same severity or maybe you want to include some unique information in the description, this section allows you to do that.

You can add variables to the name or descriptions by giving the column name and added two sets of curly brackets around it like {{ UPN }}. For things like Severity you can adjust those in the dropdown and choose the column these should match too, if your query does not return a valid option for the field, it uses what was specified on the general page.

Query scheduling

Set how frequently your query runs and how far back it searches data here, form both fields you can specify anywhere between 5 minutes and 14 days. Think about the query you are running and what data it needs access to.

If you don't want the analytic rule to run until a certain date, you can set that up here as well.

Tip

If you have set up an alert rule in Log analytics, this section will look familiar to you but with one element missing. In Log analytics, the more frequently you ran the alert rule the higher the estimated monthly cost for the analytic rule was.

In Sentinel there is no cost difference between an analytic rule that runs every 5 minutes vs one that runs once a day. This is because at the time of ingestion in Sentinel you are paying for the analytics on the data upfront. This is also why data ingestion within Log analytics is almost half the price of data ingestion in Sentinel.

Alert threshold

Some alerts need to find repeated activity, or perhaps activity occurring less than it used to, you can specify those thresholds here.

Event grouping

Dependent on your query scheudling and the data being returned you may want to create an alert for each row in the query. If each match should be their own alert then you likely want to split the grouping up, again this is really dependent on what your analytic rule is looking for.

Suppression

You can stop your analytic rule from running for 5 minutes or up to 24 hours after returning some query results here.

Incident settings

On this page you can determine whether the alert you configured on the last page should create an incident. Additionally, you can choose how these alerts should be grouped into an incident. Like many settings this really depends on what the analytic rule is looking for, there are good reasons for using each grouping option available, those options are:

• Grouping the alerts with the same entity into the same incident
• Grouping all alerts for the set time frame into a single incident regardless of the entity
• Grouping alerts with more refined entity details into an incident

Lastly, if the incident has been closed out, but a new match is found during our grouping time frame the incident can optionally be reopened.

Automated response

Configure automations for specifically this analytic rule, I have full details on the Automations page.

Review + create

Finally, like all Azure resources you get the review and create page with a summary of all of our selections, if there are any issues the validation should create a warning and add a red on the page with the error.

Notes

It can be fairly tedious adding these, here is a great article for adding rules from templates in bulk.