You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/summary-rules.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -116,7 +116,7 @@ This section reviews common scenarios for creating summary rules in Microsoft Se
116
116
117
117
**Scenario**: You're a threat hunter, and one of your team's goals is to identify all instances of when a malicious IP address interacted in the network traffic logs from an active incident, in the last 90 days.
118
118
119
-
**Challenge**: Microsoft Sentinel currently ingests multiple terabytes of network logs a day. You needs to move through them quickly to find matches for the malicious IP address.
119
+
**Challenge**: Microsoft Sentinel currently ingests multiple terabytes of network logs a day. You need to move through them quickly to find matches for the malicious IP address.
120
120
121
121
**Solution**: We recommend using summary rules to do the following:
122
122
@@ -213,13 +213,13 @@ The current detection also runs a summary query on a separate logic app for each
213
213
214
214
Generate alerts on threat intelligence matches against noisy, high volume, and low-security value network data.
215
215
216
-
**Scenario**: You need to build an analytics rule for firewall logs to match domain names in the system that have been visted agsinst a threat intelligece domain name list.
216
+
**Scenario**: You need to build an analytics rule for firewall logs to match domain names in the system that have been visted against a threat intelligence domain name list.
217
217
218
218
Most of the data sources are raw logs that are noisy and have high volume, but have lower security value, including IP addresses, Azure Firewall traffic, Fortigate traffic, and so on. There's a total volume of about 1 TB per day.
219
219
220
220
**Challenge**: Creating separate rules requires multiple logic apps, requiring extra setup and maintenance overhead and costs.
221
221
222
-
**Solution**: We recommed using summary rules to do the following:
222
+
**Solution**: We recommend using summary rules to do the following:
223
223
224
224
1. Summarize McAfee firewall logs every 10 minutes, updating the data in the same custom table with each run. [ASIM functions](normalization-functions.md) might be helpful in the summary query when interacting with your McAfee logs.
225
225
@@ -262,7 +262,7 @@ This procedure describes a sample process for using summary rules with [auxiliar
262
262
[](https://portal.azure.com/#create/Microsoft.Template/uri/aka.ms/DeployCEFresources)
263
263
264
264
265
-
1. Note the following deatails from the ARM template output:
265
+
1. Note the following details from the ARM template output:
266
266
267
267
- `tenant_id`
268
268
- `data_collection_endpoint`
@@ -323,7 +323,7 @@ This procedure describes a sample process for using summary rules with [auxiliar
323
323
324
324
1. Create summary rules that aggregate your CEF data. For example:
325
325
326
-
- **Lookup incident of concern (IoC) data**: Hunt for specific IoCs by running aggregated summary queries to bring unique occurences, and then query only those occurences for faster results. The following example shows an example of how to bring a unique `Source Ip` feed along with other medata, which can then be used against IoC lookups:
326
+
- **Lookup incident of concern (IoC) data**: Hunt for specific IoCs by running aggregated summary queries to bring unique occurrences, and then query only those occurrences for faster results. The following example shows an example of how to bring a unique `Source Ip` feed along with other metadata, which can then be used against IoC lookups:
327
327
328
328
```kusto
329
329
// Daily Network traffic trend Per Destination IP along with Data transfer stats
0 commit comments