Edit

Detect threats out-of-the-box

  • Article
  • 6 minutes to read

After you've connected your data sources to Microsoft Sentinel, you'll want to be notified when something suspicious occurs. That's why Microsoft Sentinel provides out-of-the-box, built-in templates to help you create threat detection rules.

Rule templates were designed by Microsoft's team of security experts and analysts based on known threats, common attack vectors, and suspicious activity escalation chains. Rules created from these templates will automatically search across your environment for any activity that looks suspicious. Many of the templates can be customized to search for activities, or filter them out, according to your needs. The alerts generated by these rules will create incidents that you can assign and investigate in your environment.

This article helps you understand how to detect threats with Microsoft Sentinel:

  • Use out-of-the-box threat detections
  • Automate threat responses

View built-in detections

To view all analytics rules and detections in Microsoft Sentinel, go to Analytics > Rule templates. This tab contains all the Microsoft Sentinel built-in rules, as well as the Threat Intelligence rule type.

Screenshot shows built-in detection rules to find threats with Microsoft Sentinel.

Built-in detections include:

Rule type Description
Microsoft security Microsoft security templates automatically create Microsoft Sentinel incidents from the alerts generated in other Microsoft security solutions, in real time. You can use Microsoft security rules as a template to create new rules with similar logic.

For more information about security rules, see Automatically create incidents from Microsoft security alerts.
Fusion
(some detections in Preview)		 Microsoft Sentinel uses the Fusion correlation engine, with its scalable machine learning algorithms, to detect advanced multistage attacks by correlating many low-fidelity alerts and events across multiple products into high-fidelity and actionable incidents. Fusion is enabled by default. Because the logic is hidden and therefore not customizable, you can only create one rule with this template.

The Fusion engine can also correlate alerts produced by scheduled analytics rules with those from other systems, producing high-fidelity incidents as a result.
Machine learning (ML) behavioral analytics ML behavioral analytics templates are based on proprietary Microsoft machine learning algorithms, so you cannot see the internal logic of how they work and when they run.

Because the logic is hidden and therefore not customizable, you can only create one rule with each template of this type.
Threat Intelligence Take advantage of threat intelligence produced by Microsoft to generate high fidelity alerts and incidents with the Microsoft Threat Intelligence Analytics rule. This unique rule is not customizable, but when enabled, will automatically match Common Event Format (CEF) logs, Syslog data or Windows DNS events with domain, IP and URL threat indicators from Microsoft Threat Intelligence. Certain indicators will contain additional context information through MDTI (Microsoft Defender Threat Intelligence).

For more information on how to enable this rule, see Use matching analytics to detect threats.
For more details on MDTI, see What is Microsoft Defender Threat Intelligence
Anomaly Anomaly rule templates use machine learning to detect specific types of anomalous behavior. Each rule has its own unique parameters and thresholds, appropriate to the behavior being analyzed.

While the configurations of out-of-the-box rules can't be changed or fine-tuned, you can duplicate a rule and then change and fine-tune the duplicate. In such cases, run the duplicate in Flighting mode and the original concurrently in Production mode. Then compare results, and switch the duplicate to Production if and when its fine-tuning is to your liking.

For more information, see Use customizable anomalies to detect threats in Microsoft Sentinel and Work with anomaly detection analytics rules in Microsoft Sentinel.
Scheduled Scheduled analytics rules are based on built-in queries written by Microsoft security experts. You can see the query logic and make changes to it. You can use the scheduled rules template and customize the query logic and scheduling settings to create new rules.

Several new scheduled analytics rule templates produce alerts that are correlated by the Fusion engine with alerts from other systems to produce high-fidelity incidents. For more information, see Advanced multistage attack detection.

Tip: Rule scheduling options include configuring the rule to run every specified number of minutes, hours, or days, with the clock starting when you enable the rule.

We recommend being mindful of when you enable a new or edited analytics rule to ensure that the rules will get the new stack of incidents in time. For example, you might want to run a rule in synch with when your SOC analysts begin their workday, and enable the rules then.
Near-real-time (NRT)
(Preview)		 NRT rules are limited set of scheduled rules, designed to run once every minute, in order to supply you with information as up-to-the-minute as possible.

They function mostly like scheduled rules and are configured similarly, with some limitations. For more information, see Detect threats quickly with near-real-time (NRT) analytics rules in Microsoft Sentinel.

Important

The rule templates so indicated above are currently in PREVIEW, as are some of the Fusion detection templates (see Advanced multistage attack detection in Microsoft Sentinel to see which ones). See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Use built-in analytics rules

This procedure describes how to use built-in analytics rules templates.

To use built-in analytics rules:

  1. In the Microsoft Sentinel > Analytics > Rule templates page, select a template name, and then select the Create rule button on the details pane to create a new active rule based on that template.

    Each template has a list of required data sources. When you open the template, the data sources are automatically checked for availability. If there is an availability issue, the Create rule button may be disabled, or you may see a warning to that effect.

    Detection rule preview panel

  2. Selecting Create rule opens the rule creation wizard based on the selected template. All the details are autofilled, and with the Scheduled or Microsoft security templates, you can customize the logic and other rule settings to better suit your specific needs. You can repeat this process to create additional rules based on the built-in template. After following the steps in the rule creation wizard to the end, you will have finished creating a rule based on the template. The new rules will appear in the Active rules tab.

    For more details on how to customize your rules in the rule creation wizard, see Create custom analytics rules to detect threats.

Tip

  • Make sure that you enable all rules associated with your connected data sources in order to ensure full security coverage for your environment. The most efficient way to enable analytics rules is directly from the data connector page, which lists any related rules. For more information, see Connect data sources.

  • You can also push rules to Microsoft Sentinel via API and PowerShell, although doing so requires additional effort.

    When using API or PowerShell, you must first export the rules to JSON before enabling the rules. API or PowerShell may be helpful when enabling rules in multiple instances of Microsoft Sentinel with identical settings in each instance.

Export rules to an ARM template

You can easily export your rule to an Azure Resource Manager (ARM) template if you want to manage and deploy your rules as code. You can also import rules from template files in order to view and edit them in the user interface.

Next steps