You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/detect-threats-custom.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,15 +33,15 @@ Analytics rules search for specific events or sets of events across your environ
33
33
34
34
### Analytics rule wizard—General tab
35
35
36
-
- Provide a unique **Name** and a **Description**.
36
+
1. Provide a unique **Name** and a **Description**.
37
37
38
-
- In the **Tactics and techniques** field, you can choose from among categories of attacks by which to classify the rule. These are based on the tactics and techniques of the [MITRE ATT&CK](https://attack.mitre.org/) framework.
38
+
1. In the **Tactics and techniques** field, you can choose from among categories of attacks by which to classify the rule. These are based on the tactics and techniques of the [MITRE ATT&CK](https://attack.mitre.org/) framework.
39
39
40
40
[Incidents](investigate-cases.md) created from alerts that are detected by rules mapped to MITRE ATT&CK tactics and techniques automatically inherit the rule's mapping.
41
41
42
-
- Set the alert **Severity** as appropriate.
42
+
1. Set the alert **Severity** as appropriate.
43
43
44
-
- When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
44
+
1 When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
45
45
46
46
:::image type="content" source="media/tutorial-detect-threats-custom/general-tab.png" alt-text="Start creating a custom analytics rule":::
47
47
@@ -106,15 +106,15 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
106
106
107
107
### Query scheduling and alert threshold
108
108
109
-
- In the **Query scheduling** section, set the following parameters:
109
+
1. In the **Query scheduling** section, set the following parameters:
110
110
111
111
:::image type="content" source="media/tutorial-detect-threats-custom/set-rule-logic-tab-2.png" alt-text="Set query schedule and event grouping" lightbox="media/tutorial-detect-threats-custom/set-rule-logic-tab-all-2-new.png":::
112
112
113
-
- Set **Run query every** to control how often the query is run—as frequently as every 5 minutes or as infrequently as once every 14 days.
113
+
1. Set **Run query every** to control how often the query is run—as frequently as every 5 minutes or as infrequently as once every 14 days.
114
114
115
-
- Set **Lookup data from the last** to determine the time period of the data covered by the query—for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
115
+
1. Set **Lookup data from the last** to determine the time period of the data covered by the query—for example, it can query the past 10 minutes of data, or the past 6 hours of data. The maximum is 14 days.
116
116
117
-
- For the new **Start running** setting (in Preview):
117
+
1. For the new **Start running** setting (in Preview):
118
118
119
119
- Leave it set to **Automatically** to continue the original behavior: the rule will run for the first time immediately upon being created, and after that at the interval set in the **Run query every** setting.
120
120
@@ -138,7 +138,7 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
138
138
>
139
139
> For more information, see [Handle ingestion delay in scheduled analytics rules](ingestion-delay.md).
140
140
141
-
- Use the **Alert threshold** section to define the sensitivity level of the rule. For example, set **Generate alert when number of query results** to **Is greater than** and enter the number 1000 if you want the rule to generate an alert only if the query returns more than 1000 results each time it runs. This is a required field, so if you don’t want to set a threshold – that is, if you want your alert to register every event – enter 0 in the number field.
141
+
1. Use the **Alert threshold** section to define the sensitivity level of the rule. For example, set **Generate alert when number of query results** to **Is greater than** and enter the number 1000 if you want the rule to generate an alert only if the query returns more than 1000 results each time it runs. This is a required field, so if you don’t want to set a threshold – that is, if you want your alert to register every event – enter 0 in the number field.
0 commit comments