|
| 1 | +--- |
| 2 | +title: Create Summary Rules for Microsoft Sentinel Solutions |
| 3 | +description: This article guides you through the process of creating and publishing summary rules to Microsoft Sentinel solutions. |
| 4 | +author: anilgodavarthy |
| 5 | +ms.author: angodavarthy |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 7/04/2025 |
| 9 | + |
| 10 | +#CustomerIntent: As an ISV partner, I want to create and publish summary rules to my Microsoft Sentinel solution so that I can provide inbuilt data summarization that customers can use to speed up query execution and save costs. |
| 11 | +--- |
| 12 | + |
| 13 | +# Create and publish summary rules for Microsoft Sentinel solutions |
| 14 | + |
| 15 | +Summary rules in Microsoft Sentinel are scheduled queries that aggregate and transform high-volume data into summarized results stored in a custom log table. In essence, a summary rule runs a user-defined KQL (Kusto Query Language) query at a regular interval (for example, every hour or once a day) across a large set of logs, and saves the aggregated output (such as counts, statistics, or filtered records) into a new or existing Log Analytics (LA) table. This mechanism provides concise, precompiled data that is smaller and easier to query than the raw log. For more information, see [Aggregate Microsoft Sentinel data with summary rules](/azure/sentinel/summary-rules). |
| 16 | + |
| 17 | +This article walks you through the process of creating and publishing summary rules to Microsoft Sentinel solutions. |
| 18 | + |
| 19 | +## Best practices for using summary rules in solutions |
| 20 | + |
| 21 | +To ensure both the ISV and the end-user get the most out of summary rules, here are a few best practices (largely derived from Microsoft’s guidance and early user experiences): |
| 22 | + |
| 23 | +- **Design summary queries to significantly reduce data volume:** A summary rule should ideally output far less data than it inputs – aim to filter out noise and use aggregation (grouping) to shrink the dataset by orders of magnitude. For example, use the summarized operator to roll up events by key dimensions (like user, IP, day) so that only patterns or totals are stored, not every detail. Microsoft’s advice is to use techniques like counting, take min/max, etc., and project only necessary fields, to keep the summary table lean. This not only saves cost but ensures queries on the summary table remain snappy. |
| 24 | +- **Choose an appropriate schedule and delay:** Align the frequency of summary rule runs with the use case. If you need near-real-time aggregation (for example, summarizing each hour for quick detection), you can run as often as every 20 minutes. If the scenario is reports or daily stats, a daily schedule is fine and incurs less overhead. Also set a latency buffer (delay) if needed – for instance, when running every hour, you might process data up to 15 minutes ago rather than right up to the current minute, to allow late events to arrive. This ensures completeness of data. Document these choices in your solution’s notes so users understand the timing. |
| 25 | +- **Leverage analytic rules on summary results:** Encourage or include an analytic rule that triggers on the summary table if the intent is to alert (for example, provide a ready-to-enable rule that looks at the summary table for anomalies or IoC hits). As shown earlier, the workflow is usually Summary Rule -> writes to table -> Analytic Rule -> creates incident. By packaging both, you give the user a turnkey solution. Make sure the analytic rule’s schedule/look-back aligns with how the summary is produced (for example, if summary runs daily, the alert rule might run daily shortly after, or hourly checking the last day’s summary). |
| 26 | + |
| 27 | +## How to create summary rules |
| 28 | +Summary rules in Microsoft Sentinel solutions follow the YAML format. For an example of summary rule, see [Sample summary rule in GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Summary%20rules/Network/FortinetFortigateNetworkSessionIPSummary.yaml) |
| 29 | + |
| 30 | +The following sections provide a detailed walkthrough of various attributes of a summary rule. |
| 31 | + |
| 32 | +### ID |
| 33 | + |
| 34 | +The `id` attribute consists of a standard globally unique identifier (GUID). Generate it by using any development tool, an online generator, or the new PowerShell [New-GUID cmdlet](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-6&preserve-view=true). It must be unique among other GUIDs. |
| 35 | + |
| 36 | +This field is mandatory. |
| 37 | + |
| 38 | +### Display Name |
| 39 | + |
| 40 | +The `displayName` attribute provides a brief label that summarizes the rule. Make sure the label is clear and concise to help users understand the purpose of the summary rule. This attribute: |
| 41 | + |
| 42 | +* Uses sentence-case capitalization. |
| 43 | +* Doesn't end in a period. |
| 44 | +* Has a maximum length of 50 characters (whenever possible). |
| 45 | + |
| 46 | +This field is mandatory. |
| 47 | + |
| 48 | +### Description |
| 49 | + |
| 50 | +The `description` attribute provides a detailed description of the summary rule. The description includes information about the rule, frequency, and other relevant details that can help customers know more about the summarization logic and its impact. This attribute: |
| 51 | + |
| 52 | +* Uses sentence case capitalization. |
| 53 | +* Is different from and more descriptive than the name field. |
| 54 | +* Has a maximum length of 255 characters. |
| 55 | +* Is five sentences or less. |
| 56 | +* Doesn't provide a technical explanation for the query language. |
| 57 | + |
| 58 | +This field is mandatory. |
| 59 | + |
| 60 | +### Required data connectors |
| 61 | + |
| 62 | +The `requiredDataConnectors` attribute represents the list of data connectors that the rule needs to function correctly, including the data sources against which the rule queries. If there's no current data connector mapping, you must use an open brace: `requiredDataConnectors: []`. |
| 63 | + |
| 64 | +The `connectorId` attribute specifies the ID of the data connector that you need so the query functions correctly. If your summary rule depends on the data fetched from a specific connector, you must specify the connector ID here. For instance, if your summary rule depends on the data from this [connector](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json), you must specify the `connectorID` as `1PasswordCCPDefinition`. |
| 65 | + |
| 66 | +The `dataTypes` attribute represents the data types that the summary rule depends on and mentions the name of the data type referenced in the `dataTypes` section of the connector. For instance, if your summary rule depends on the data from this [connector](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json), you must specify the data type as `OnePasswordEventLogs_CL`. If the summary rule operates on a Kusto function/parser instead of the table (like `Syslog`, `CommonEventFormat`, or `_CL`), `dataTypes` is the Kusto function name/parser name and not the table name. |
| 67 | + |
| 68 | +### Destination table |
| 69 | + |
| 70 | +The `destinationTable` attribute specifies the name of the table in Log Analytics (LA) where the query results are saved. |
| 71 | + |
| 72 | +### Query |
| 73 | + |
| 74 | +The `query` attribute defines the summarization logic. We recommend that you write the query in KQL and make sure that it's structured and easy to understand. We recommend that you create an efficient query that's optimized for performance to ensure it can be run against large datasets without affecting performance. Make sure that your query meets the following criteria. |
| 75 | + |
| 76 | +Limit the query to 10,000 characters. If the query section exceeds this limit, consider reducing the number of characters. A static list of items used for comparison within the query body can cause you to go over the limit. We recommend that you move these lists to one of the following options: |
| 77 | + |
| 78 | +* A [watchlist function](/azure/sentinel/watchlists) |
| 79 | +* A [custom JSON/CSV](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml) |
| 80 | +* A [custom function](https://techcommunity.microsoft.com/t5/azure-sentinel/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381) |
| 81 | + |
| 82 | +Each line in the query body must have at least one space at the beginning, but two spaces are standard to support readability. |
| 83 | + |
| 84 | +We highly recommend that you use comments to clarify the query. Avoid adding comments at the end of a query statement line. Instead, add your comments on a separate line. For example: |
| 85 | + |
| 86 | +This field is mandatory. |
| 87 | + |
| 88 | +### Query frequency |
| 89 | + |
| 90 | +The `binSize` attribute represents the frequency at which the query runs in minutes. Only nonzero positive integer values are allowed. Ex- 60 indicates that the query runs every 1 hour. |
| 91 | + |
| 92 | + |
| 93 | +### Version |
| 94 | + |
| 95 | +When a customer creates a new summary from the template, the template `version` is saved. If a new template version is published, customers are notified in the UX. Versions follow the format `a`, `b`, and `c`, in which `a` is the major version, `b` is the minor version, and `c` is the patch. The version field is the last line of the template. |
| 96 | + |
| 97 | +This field is mandatory. |
0 commit comments