Creating Custom Analytics Rules and Investigating Incidents in Microsoft Sentinel

Custom analytics rules in Microsoft Sentinel enable you to define specific criteria for detecting malicious activities based on your unique security needs. These rules allow you to identify and mitigate advanced threats that may not be covered by built-in analytics. Additionally, Sentinel provides robust incident management capabilities that consolidate alerts into incidents, streamlining the investigation and response process.

In this lab, you will learn to create a custom scheduled query rule to detect suspicious inbox rule creation activities, leveraging the OfficeActivity_CL custom log table. You will then explore the incident generated by the rule, reviewing mapped entities and related data to understand how Sentinel aids in threat detection and investigation.

Objectives

Upon completion of this lab, you will be able to:

• Define custom analytics rules in Microsoft Sentinel using KQL (Kusto Query Language).
• Create dynamic alert titles to enhance incident context.
• Map entities to enrich alert information and group related alerts into incidents.
• Investigate generated incidents and understand the contextual data provided by Sentinel.

Who is this Lab For?

This lab is designed for:

• Security Analysts who want to learn how to customize detection rules for tailored threat detection.
• SOC Teams interested in enhancing incident triage and investigation processes.
• Developers and IT Professionals looking to integrate advanced security monitoring into their environments.