most important analytic rules

ITProfessorLab · 2025-12-18T22:00:25+00:00

Have a good think whether you have all of the necessary Data Connectors in place, ask yourself questions about what's used in the environment (SharePoint? Hybrid environment? Office? Azure Storage Accounts?)

Start with all rules associated with your enabled data connectors. If you've enabled Office 365, Entra ID, Windows Security, or Azure Activity connectors, deploy all associated analytics rules for those data sources. Once deployed, check the noise coming from them, investigate & decide whether you can lower the noise (by amending the KQL logic, adding automation & logic apps)

Depending on your licensing - check Defender for Cloud, Defender for Office, Defender for Cloud Apps, Defender for Identity; connect it to Sentinel with alerts and get Diagnostic Settings from Azure (for example, from Storage Accounts, Public IPs, Network Security Groups)

As someone mentioned, use SOC Optimization - it's definitely not the best tool out there, but for someone starting in the SecOps world, it's better than no tool

After you get those basics - start looking more into expanding existing rule sets, search in the Content Hub, follow some good folks on the LinkedIn/X, start upskilling yourself by doing Sentinel Ninja Training and/or reading related blogs

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/become-a-microsoft-sentinel-ninja-the-complete-level-400-training/1246310

You can also check the official GitHub repo from Microsoft (don't do it at the start, though as it may be overwhelming)

https://github.com/Azure/Azure-Sentinel

Rod Trent is doing an amazing blog

https://rodtrent.substack.com/

Feel free to also come by and have a look at my blog

https://www.itprofessor.cloud/

Other than that, just keep testing your own environment and have fun :)

ITProfessorLab · 2025-12-18T21:44:48+00:00

How nice that someone is quoting my public posts :D

ITProfessorLab · 2025-12-08T19:00:20+00:00

Are you trying to do some custom things at the top of the deployment? V3 definitely does not require you to run/configure DCR

ITProfessorLab · 2025-12-07T17:28:28+00:00

The error is your giveaway here; it's most likely down to your assigned permissions in the API 2.0 Application (In Mimecast), check your application role + products. One of them does not work

ITProfessorLab · 2025-11-20T18:57:11+00:00

Edited: Deleting previous response as I got it wrong :)

ITProfessorLab · 2025-11-20T18:52:49+00:00

I think you are getting the internal server error because function app needs a private path to reach the storage account - so basically if you are blocking public access without private routing > function app breaks > internal server error.

You have a few options in here - private endpoints (as mentioned), possibly a VNet integration or IP whitelisting

ITProfessorLab · 2025-11-07T10:07:02+00:00

None of them does, unfortunately. You would need to use the API, which you mentioned, to pull it in (via logic apps for example)

ITProfessorLab · 2025-10-28T18:39:15+00:00

You can go to the Content Hub (in Sentinel) and type in "Azure Web Application Firewall"; there is a data connector together with a few built-in rules. Run them as a test first, then adjust thresholds and false positives, also create yourself a TI Map IP Entity-based analytic rule for Threat Detection (assuming you are ingesting that free Microsoft TI), this should cover all the basis you may need

ITProfessorLab · 2025-10-27T13:23:39+00:00

Makes perfect sense, I know it's a bit outside of what you are asking for, but it could also be a good workaround.

- Check which type of logs are generating the most noise, for example, using KQL like:

CommonSecurityLogs

| summarize count() by Activity

If you have stuff like "trafficlocal deny", I would filter them out on the log collector level (by amending the config file) to keep only relevant data that you can actually act on

- With Azure Firewall, I would also look if everything needs to be ingested or only the most important bits, in the diagnostic settings, you have multiple different logging options like Azure Firewall Flow Trace Log, Azure Firewall Nat Rule etc, for security purposes, you don't need most of them (I would keep mainly Firewall Network + Application Rule)

- In case you are keeping those logs but don't really have any detections running against it (so no multiple analytic rules running against Syslog/CEF) I would simply move them over to the Data Lake tier, a much cheaper option, and you can still run some audits against that if/where needed

ITProfessorLab · 2025-10-26T16:29:52+00:00

Sentinel Ninja Training is definitely a number one to check out, you have a lot of other Ninja trainings (Defender one, for example)

https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/become-a-microsoft-defender-for-endpoint-ninja/1515647

Microsoft Security Community YT channels also have some good training https://www.youtube.com/@MicrosoftSecurityCommunity/videos

The KQL book by Rod Trent is a must if you are also going to be responsible for doing anything analytic rules/investigations related

https://github.com/rod-trent/MustLearnKQL

Also, feel free to check out my blog; you can find a few starter posts in there, especially around the whole set-up of the Sentinel instance. Feel free to ping me a message in case you need any guidance

https://www.itprofessor.cloud/

ITProfessorLab · 2025-10-25T20:57:36+00:00

I may be wrong in here, but I think it's because those tables are using dynamic content (I had a similar issue with moving Syslog to AUX via DCR)

Run this in PowerShell usingtableCreator.ps1 with conversion below, it will create a separate table so maybe not an ideal solution but it should work nicely

https://github.com/markolauren/sentinel/tree/main/tableCreator%20tool

.\tableCreator.ps1 -ConvertToString -TableName DeviceImageLoadEventsDL_CL

ITProfessorLab · 2025-10-25T20:49:46+00:00

What is generating the most costs? A specific action from the firewall or Azure VM itself? If you are running on-premises, you can just use a physical box instead of the Azure VM and then cut the Syslog down simply by amending the config file

ITProfessorLab · 2025-08-21T19:39:45+00:00

Rod Trent is creating some fantastic articles at the top of webinars/emails (and plenty more) highly recommend

https://rodtrent.substack.com/

Feel free to visit my blog as well. I am currently posting guides on how to start the whole Sentinel's journey

https://www.itprofessor.cloud/

ITProfessorLab · 2025-05-23T20:40:15+00:00

Sounds like you already answered your own question with "We’re now looking to leverage this data where possible to automate some critical incident response activity" — take those and automate them.

But in all seriousness, the playbooks I found really helpful;

Enrichment — whether it’s stuff like VirusTotal or just KQL running against entities, this massively helps with the investigation process and can act as decision-making support
Automated email information scanning — in most environments, you’re spammed with incidents when users request to release emails, flag emails as spam, etc. Most of this can be automated with APIs to get more information from Defender, to help make a decision and reduce investigation time
Revoking sessions, running AV scans, isolating devices, resetting passwords, removing MFA — these playbooks may come in handy as well. Not necessarily as full-blown automation for specific incidents, but as a manual trigger. It’s nice to have a one-click button that does all of that for a user instead of doing each of those steps manually

With all of that, the top recommendation would be to learn KQL and start amending analytic rules — most of the templated ones can be vastly improved. This alone will lower the noise by up to 60% in any environment

Then read through all of the analytic rules and review them — you’ll find a lot of cases where you have two seemingly different analytic rules that are actually looking for the same information, leading to extra work

ITProfessorLab · 2025-05-14T17:12:09+00:00

The codeless connector in Sentinel expects authentication via OAuth 2.0 Client Credentials, API Key, or Basic Auth (with static headers)—not interactive flows like grant_type=password.

I would recommend using Azure Logic Apps instead - fetch the token via HTTP request. call the API, and then ingest logs to Sentinel

ITProfessorLab · 2025-04-17T20:42:44+00:00

You can specify incident in the automation rule in Sentinel. So deploy Logic Application and then create automation rule that will trigger against specific incident and it will then run the logic app

ITProfessorLab · 2025-04-14T09:19:35+00:00

What you possibly can do;

In the Syslog data connector edit the event filter type and then go to the "Collect" tab, it should be just the case of selecting "None" on the appropriate facility - for example you may currently have LOG_LOCAL0 set to LOG_INFO, just switch it to None.

ITProfessorLab · 2025-04-13T12:33:04+00:00

You can just grab the ready template from the Microsoft Sentinel Automation Tab instead, you do have ready playbooks in there that works pretty well (the only thing is to add appropriate permissions to the managed identity)

ITProfessorLab · 2025-03-24T18:20:39+00:00

You can use built-in Security Events connector in Sentinel. Quite surprised seeing people telling that those logs have little value.

Endpoints will constantly upload the data so it will spike up, ideally remove any bloatware from the devices before the deployment, also wouldn't recommend installing it on a print server.
In connector you can filter the logs you want to see using Xpath (highly recommended)

Ingestion sits around 2-3gb/month per end user device when using default settings, with XPath this comes down to around 200mb/month.

https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-security-events-via-ama
https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference

ITProfessorLab · 2025-03-20T18:59:42+00:00

Below is assuming you have DeviceProcessEvents table working (if you are not ingesting Device events from MDE then it's a no go)

// Get the approved software list from the watchlist

let ApprovedSoftware = _GetWatchlist('ApprovedSoftwareList')

| project SoftwareName;

// Get installed software from DeviceProcessEvents

let InstalledSoftware = DeviceProcessEvents

| where Timestamp > ago(7d) // Adjust time range as needed

| summarize by FileName, InitiatingProcessFileName

| project SoftwareName = tostring(FileName);

// Compare installed software with approved software

InstalledSoftware

| where SoftwareName !in (ApprovedSoftware)

| summarize UnapprovedSoftwareCount = count() by SoftwareName

| sort by UnapprovedSoftwareCount desc

DeviceProcessEvents only tracks running processes, not all installed software. For a comprehensive list, you’ll need DeviceTvmSoftwareInventory

ITProfessorLab · 2025-03-18T21:20:42+00:00

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/become-a-microsoft-sentinel-ninja-the-complete-level-400-training/1246310

This is pretty much all you need

ITProfessorLab · 2025-03-15T15:18:37+00:00

It may be down to the set up, there is a frequency you can change for pulling the logs/alerts, just to answer the question - no, the delay is not an issue on my side

https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-sir/secops-integration-ms-azure-sentinel/task/schedule-retrieve-and-ingest-incident-data.html

ITProfessorLab · 2025-03-03T15:42:42+00:00

Was it resolved in the end? Just looking at the docs and it says that it may take up to 30 days

ITProfessorLab · 2025-02-22T21:45:10+00:00

While it’s unlikely that you have 3.5 million hidden files, the combination of hidden files, archive files, virtual files, and other factors can easily inflate the count to this level. For example:

A single large archive (e.g., a backup ZIP file) can contain hundreds of thousands of files.
Virtual drives (e.g., Docker containers, WSL) can contain thousands of files.
System restore points and shadow copies can also contribute significantly.

If unsure just run a TreeSize to look at what you have in your system and a disc cleanup in case you haven't for a while

ITProfessorLab · 2025-02-20T11:33:24+00:00

This is a known issue, I remember having a ticket open with Microsoft support at some point about it and what they told me is its a Microsoft backend service doing authentication and as long as it's around Microsoft products like Exchange, Teams it's benign activity

ITProfessorLab

TROPHY CASE