/
Creating Analytic Rules
Document toolboxDocument toolbox

Creating Analytic Rules

Owned by Shirly Tsang
Aug 02, 2024
2 min read

Analytic rule generates a unique alert for each event returned by the query and create incidents. This is useful if you want events to be displayed individually, or if you want to group them by certain parameters—by user, hostname, or something else. You can define these parameters in the query.
Below are the steps to create Analytic Rule

  1. To create an analytic rule, go to Microsoft Sentinel -> <Your Workspace> and go to the Analytics.

image-20240711-125149.png

  1. Click on Create -> Scheduled query rule.

image-20240711-125415.png

  1. Enter Rule Name, Description, Severity and tactics.

image-20240711-130128.png

  1. Enter a query on which you want to create incidents, and add Entity Mapping. In Entity mapping, provide mapping of any Indicator. Example of IP is mentioned below.

image-20240711-130214.png

  1. Add the name of the Incident here.

image-20240711-130452.png

  1. Select “Trigger an alert for each event” to generate a new incident for each event.

image-20240711-130350.png

  1. Click on next and finally save to create the Analytic Rule.

Here is a sample analytic rule you can import in Sentinel

Related content