Chapter 7: Creating Analytic Rules

Now that you have connected your data to Microsoft Sentinel and know how to write your own Kusto Query Language (KQL) queries, you need to know how to use those queries to detect suspicious events. This is where Microsoft Sentinel Analytics comes into play.

Analytics is the heart of Microsoft Sentinel. This is where you will set up analytic rules that can run automatically to detect potential issues that you may have. These rules can run queries, which you build on your own, or they can come from the ever-growing list of templates that Microsoft provides. This is exactly what we will learn to do in this chapter.

This chapter will take you through the following topics:

  • An introduction to analytic rules
  • Creating ...

Get Microsoft Sentinel in Action - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.