This article is contributed. See the original author and article here.

Rule tuning is a delicate and continuous process of balancing between detecting all threats and reducing false and benign positives. The more accurate and less noisy the rules are, the better the detections. To support this goal, we are delighted to announce improvements to the “Preview Graph” feature now in public preview.


The Preview Graph runs a simulation against the last 50 evaluations of an existing scheduled analytic rule and outputs a graph indicating the number of alerts that the rule generated based on the average number of alerts expected per day. This data can then help you tune your rules by predicting the average number of alerts the rule is expected to generate and for existing rules, the data will help you get a sense of the detection efficacy of those rules.


How to use the feature


To try out this feature, navigate to the Analytics blade in the Azure Sentinel Overview page, select an existing analytic rule.


Once you define the KQL query behind your rule you are now ready to get a preview of the results. To do so, click on the arrow next to “Test with current data”.


analytic rule wizard.png


 

Upon evolution of the last 50 runs of the analytic rule a graph similar to the one below will appear, giving you an indication of the level of alerts to expect if you were to use the evaluated configuration of the rule. On the Y-axis you have the number of alerts generated while on the X-axis you have the period of time within which the last 50 evaluations of the rule occurred. The “Threshold” value is obtained from the “Set rule logic” section of Analytic rule wizard and it is used to specify the number of query results needed to trigger an alert while the “Alerts per day” denotes the average number of alerts generated across the time period indicated on the x-axis for the last 50 evaluations of the rule.


 

test with curr data.png


To visualize the raw events at a specific point in time on the graph, hover over a particular data point and the graph will adjust to show you what the number of events was at that particular point in time as shown below:


 

test with curr data2.png


 


 


 


Get started today!


We encourage you to use the new Preview Graph to improve the accuracy of your analytic rules and reduce alert noise.


 


Try it out, and let us know what you think!


 


You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.


 


@Jeremy Tan  @Ron Marsiano thanks for your input and review comments


 


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: