Create scheduled analytics rules from templates

By far the most common type of analytics rule, Scheduled rules are based on Kusto queries that are configured to run at regular intervals and examine raw data from a defined "lookback" period. These queries can perform complex statistical operations on their target data, revealing baselines and outliers in groups of events. If the number of results captured by the query passes the threshold configured in the rule, the rule produces an alert.

Microsoft makes a vast array of analytics rule templates available to you through the many solutions provided in the Content hub, and strongly encourages you to use them to create your rules. The queries in scheduled rule templates are written by security and data science experts, either from Microsoft or from the vendor of the solution providing the template.

This article shows you how to create a scheduled analytics rule using a template.

Important

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

View existing analytics rules

To view the installed analytics rules in Microsoft Sentinel, go to the Analytics page. The Rule templates tab displays all the installed rule templates. To find more rule templates, go to the Content hub in Microsoft Sentinel to install the related product solutions or standalone content.

  1. From the Configuration section of the Microsoft Sentinel navigation menu, select Analytics.

  2. On the Analytics screen, select the Rule templates tab.

  3. If you want to filter the list for Scheduled templates:

    1. Select Add filter and choose Rule type from the list of filters.

    2. From the resulting list, select Scheduled. Then select Apply.

    Screenshot of scheduled analytics rule templates in Microsoft Azure portal.

Create a rule from a template

This procedure describes how to create an analytics rule from a template.

From the Configuration section of the Microsoft Sentinel navigation menu, select Analytics.

  1. On the Analytics screen, select the Rule templates tab.

  2. Select a template name, and then select the Create rule button on the details pane to create a new active rule based on that template.

    Each template has a list of required data sources. When you open the template, the data sources are automatically checked for availability. If a data source isn't enabled, the Create rule button may be disabled, or you might see a message to that effect.

    Screenshot of analytics rule preview panel.

  3. The rule creation wizard opens. All the details are autofilled.

  4. Cycle through the tabs of the wizard, customizing the logic and other rule settings where possible to better suit your specific needs.

    When you get to the end of the rule creation wizard, Microsoft Sentinel creates the rule. The new rule appears in the Active rules tab.

    Repeat the process to create more rules. For more details on how to customize your rules in the rule creation wizard, see Create a custom analytics rule from scratch.

Tip

  • Make sure that you enable all rules associated with your connected data sources in order to ensure full security coverage for your environment. The most efficient way to enable analytics rules is directly from the data connector page, which lists any related rules. For more information, see Connect data sources.

  • You can also push rules to Microsoft Sentinel via API and PowerShell, although doing so requires additional effort.

    When using API or PowerShell, you must first export the rules to JSON before enabling the rules. API or PowerShell may be helpful when enabling rules in multiple instances of Microsoft Sentinel with identical settings in each instance.

Next steps

In this document, you learned how to create scheduled analytics rules from templates in Microsoft Sentinel.