Tutorial: Detect threats by using analytics rules in Microsoft Sentinel

As a Security Information and Event Management (SIEM) service, Microsoft Sentinel is responsible for detecting security threats to your organization. It does this by analyzing the massive volumes of data generated by all of your systems' logs.

In this tutorial, you'll learn how to set up a Microsoft Sentinel analytics rule from a template to search for exploits of the Apache Log4j vulnerability across your environment. The rule will frame user accounts and IP addresses found in your logs as trackable entities, surface notable pieces of information in the alerts generated by the rules, and package alerts as incidents to be investigated.

When you complete this tutorial, you'll be able to:

  • Create an analytics rule from a template
  • Customize a rule's query and settings
  • Configure the three types of alert enrichment
  • Choose automated threat responses for your rules

Prerequisites

To complete this tutorial, make sure you have:

  • An Azure subscription. Create a free account if you don't already have one.

  • A Log Analytics workspace with the Microsoft Sentinel solution deployed on it and data being ingested into it.

  • An Azure user with the Microsoft Sentinel Contributor role assigned on the Log Analytics workspace where Microsoft Sentinel is deployed.

  • The following data sources are referenced in this rule. The more of these you have deployed connectors for, the more effective the rule will be. You must have at least one.

    Data source Log Analytics tables referenced
    Office 365 OfficeActivity (SharePoint)
    OfficeActivity (Exchange)
    OfficeActivity (Teams)
    DNS DnsEvents
    Azure Monitor (VM Insights) VMConnection
    Cisco ASA CommonSecurityLog (Cisco)
    Palo Alto Networks (Firewall) CommonSecurityLog (PaloAlto)
    Security Events SecurityEvents
    Microsoft Entra ID SigninLogs
    AADNonInteractiveUserSignInLogs
    Azure Monitor (WireData) WireData
    Azure Monitor (IIS) W3CIISLog
    Azure Activity AzureActivity
    Amazon Web Services AWSCloudTrail
    Microsoft Defender XDR DeviceNetworkEvents
    Azure Firewall AzureDiagnostics (Azure Firewall)

Sign in to the Azure portal and Microsoft Sentinel

  1. Sign in to the Azure portal.

  2. From the Search bar, search for and select Microsoft Sentinel.

  3. Search for and select your workspace from the list of available Microsoft Sentinel workspaces.

Install a solution from the content hub

  1. In Microsoft Sentinel, on the left-hand side menu under Content management, select Content hub.

  2. Search for and select the solution Log4j Vulnerability Detection.

  3. From the toolbar at the top of the page, select Install/Update.

Create a scheduled analytics rule from a template

  1. In Microsoft Sentinel, on the left-hand side menu under Configuration, select Analytics.

  2. From the Analytics page, select the Rule templates tab.

  3. In the search field at the top of the list of rule templates, enter log4j.

  4. From the filtered list of templates, select Log4j vulnerability exploit aka Log4Shell IP IOC. From the details pane, select Create rule.

    Screenshot showing how to search for and locate template and create analytics rule.

    The Analytics rule wizard will open.

  5. In the General tab, in the Name field, enter Log4j vulnerability exploit aka Log4Shell IP IOC - Tutorial-1.

  6. Leave the rest of the fields on this page as they are. These are the defaults, but we will add customization to the alert name at a later stage.

    If you don’t want the rule to run immediately, select Disabled, and the rule will be added to your Active rules tab and you can enable it from there when you need it.

  7. Select Next : Set rule logic. Screenshot of the General tab of the Analytics rule wizard.

Review rule query logic and configuration of settings

  • In the Set rule logic tab, review the query as it appears under the Rule query heading.

    To see more of the query text at one time, select the diagonal double-arrow icon at the upper right corner of the query window to expand the window to a larger size.

    Screenshot of the Set rule logic tab of the Analytics rule wizard.

Enrich alerts with entities and other details

  1. Under Alert enrichment, keep the Entity mapping settings as they are. Note the three mapped entities.

    Screenshot of existing entity mapping settings.

  2. In the Custom details section, let's add the timestamp of each occurrence to the alert, so you can see it right in the alert details, without having to drill down.

    1. Type timestamp in the Key field. This will be the property name in the alert.
    2. Select timestamp from the Value drop-down list.
  3. In the Alert details section, let's customize the alert name so that the timestamp of each occurrence appears in the alert title.

    In the Alert name format field, enter Log4j vulnerability exploit aka Log4Shell IP IOC at {{timestamp}}.

    Screenshot of custom details and alert details configurations.

Review remaining settings

  1. Review the remaining settings on the Set rule logic tab. There's no need to change anything, though you can if you'd like to change the interval, for example. Just make sure that the lookback period matches the interval in order to maintain continuous coverage.

    • Query scheduling:

      • Run query every 1 hour.
      • Lookup data from the last 1 hour.
    • Alert threshold:

      • Generate alert when number of query results is greater than 0.
    • Event grouping:

      • Configure how rule query results are grouped into alerts: Group all events into a single alert.
    • Suppression:

      • Stop running query after alert is generated: Off.

    Screenshot of remaining rule logic settings for analytics rule.

  2. Select Next : Incident settings.

Review the incident creation settings

  1. Review the settings on the Incident settings tab. There's no need to change anything, unless, for example, you have a different system for incident creation and management, in which case you'd want to disable incident creation.

    • Incident settings:

      • Create incidents from alerts triggered by this analytics rule: Enabled.
    • Alert grouping:

      • Group related alerts, triggered by this analytics rule, into incidents: Disabled.

    Screenshot of the Incident settings tab of the Analytics rule wizard.

  2. Select Next : Automated response.

Set automated responses and create the rule

In the Automated response tab:

  1. Select + Add new to create a new automation rule for this analytics rule. This will open the Create new automation rule wizard.

    Screenshot of Automated response tab in Analytics rule wizard.

  2. In the Automation rule name field, enter Log4J vulnerability exploit detection - Tutorial-1.

  3. Leave the Trigger and Conditions sections as they are.

  4. Under Actions, select Add tags from the drop-down list.

    1. Select + Add tag.
    2. Enter Log4J exploit in the text box and select OK.
  5. Leave the Rule expiration and Order sections as they are.

  6. Select Apply. You'll soon see your new automation rule in the list in the Automated response tab.

  7. Select Next : Review to review all the settings for your new analytics rule. When the "Validation passed" message appears, select Create. Unless you set the rule to Disabled in the General tab above, the rule will run immediately.

    Select the image below for a display of the full review (most of the query text was clipped for viewability).

    Screenshot of the Review and Create tab of the Analytics rule wizard.

Verify the success of the rule

  1. To view the results of the alert rules you create, go to the Incidents page.

  2. To filter the list of incidents to those generated by your analytics rule, enter the name (or part of the name) of the analytics rule you created in the Search bar.

  3. Open an incident whose title matches the name of the analytics rule. See that the flag you defined in the automation rule was applied to the incident.

Clean up resources

If you're not going to continue to use this analytics rule, delete (or at least disable) the analytics and automation rules you created with the following steps:

  1. In the Analytics page, select the Active rules tab.

  2. Enter the name (or part of the name) of the analytics rule you created in the Search bar.
    (If it doesn't show up, make sure any filters are set to Select all.)

  3. Mark the check box next to your rule in the list, and select Delete from the top banner.
    (If you don't want to delete it, you can select Disable instead.)

  4. In the Automation page, select the Automation rules tab.

  5. Enter the name (or part of the name) of the automation rule you created in the Search bar.
    (If it doesn't show up, make sure any filters are set to Select all.)

  6. Mark the check box next to your automation rule in the list, and select Delete from the top banner.
    (If you don't want to delete it, you can select Disable instead.)

Next steps

Now that you've learned how to search for exploits of a common vulnerability using analytics rules, learn more about what you can do with analytics in Microsoft Sentinel: