You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/detect-threats-custom.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,15 +33,15 @@ Analytics rules search for specific events or sets of events across your environ
33
33
34
34
### Analytics rule wizard—General tab
35
35
36
-
1. Provide a unique **Name** and a **Description**.
36
+
- Provide a unique **Name** and a **Description**.
37
37
38
-
1. In the **Tactics and techniques** field, you can choose from among categories of attacks by which to classify the rule. These are based on the tactics and techniques of the [MITRE ATT&CK](https://attack.mitre.org/) framework.
38
+
- In the **Tactics and techniques** field, you can choose from among categories of attacks by which to classify the rule. These are based on the tactics and techniques of the [MITRE ATT&CK](https://attack.mitre.org/) framework.
39
39
40
40
[Incidents](investigate-cases.md) created from alerts that are detected by rules mapped to MITRE ATT&CK tactics and techniques automatically inherit the rule's mapping.
41
41
42
-
1. Set the alert **Severity** as appropriate.
42
+
- Set the alert **Severity** as appropriate.
43
43
44
-
1. When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
44
+
- When you create the rule, its **Status** is **Enabled** by default, which means it will run immediately after you finish creating it. If you don’t want it to run immediately, select **Disabled**, and the rule will be added to your **Active rules** tab and you can enable it from there when you need it.
45
45
46
46
:::image type="content" source="media/tutorial-detect-threats-custom/general-tab.png" alt-text="Start creating a custom analytics rule":::
47
47
@@ -106,7 +106,7 @@ In the **Set rule logic** tab, you can either write a query directly in the **Ru
106
106
107
107
### Query scheduling and alert threshold
108
108
109
-
1. In the **Query scheduling** section, set the following parameters:
109
+
- In the **Query scheduling** section, set the following parameters:
110
110
111
111
:::image type="content" source="media/tutorial-detect-threats-custom/set-rule-logic-tab-2.png" alt-text="Set query schedule and event grouping" lightbox="media/tutorial-detect-threats-custom/set-rule-logic-tab-all-2-new.png":::
0 commit comments