3.2 Analytics Rules & Detection Content
Key Takeaways
- Microsoft Sentinel analytics rule types are Scheduled, Near-real-time (NRT), Microsoft security (built-in), Anomaly, Fusion (multistage attack ML), and Threat intelligence
- NRT rules run roughly once per minute on a single table with no lookback aggregation; scheduled rules run on a query frequency/period with full KQL aggregation
- Fusion is Microsoft's built-in machine learning correlation engine that combines low-fidelity signals into high-confidence multistage incidents
- Every analytics rule should map to MITRE ATT&CK tactics and techniques so the MITRE ATT&CK coverage blade reflects real detection coverage
- Content hub installs solutions (connectors, rule templates, workbooks, playbooks, hunting queries); watchlists are reference datasets joined into rules and hunting queries
Detection Engineering in Sentinel
Microsoft Sentinel is the cloud-native security information and event management (SIEM) plus security orchestration, automation, and response (SOAR) platform. Analytics rules are the engine that turns ingested logs into alerts and groups them into incidents. On SC-200, the Manage a security operations environment domain expects you to choose the correct rule type, tune it, and connect it to MITRE ATT&CK and the Content hub.
All analytics rules are written or templated in Kusto Query Language (KQL) and produce alerts with entity mappings (account, host, IP, file, URL) that power investigation graphs.
Rule Types at a Glance
| Rule type | Engine | Cadence | Use when |
|---|---|---|---|
| Scheduled | Custom KQL | Frequency + lookback period you set | Most custom detections with aggregation/joins |
| Near-real-time (NRT) | Custom KQL | ~Every minute, single table, no aggregation | Speed matters and one table is enough |
| Microsoft security | Built-in | On alert from a connected Microsoft product | Auto-create Sentinel incidents from Defender alerts |
| Anomaly | Built-in ML templates | Continuous, customizable thresholds | Behavioral baselining (rare process, unusual logon) |
| Fusion | Multistage ML correlation | Continuous | Correlate weak signals into one high-fidelity incident |
| Threat intelligence | Built-in match | On indicator match | Match logs against TI indicator feeds |
Scheduled vs. Near-Real-Time Rules
The scheduled vs. NRT distinction is one of the most tested SC-200 concepts.
Scheduled Rules
- You set a query frequency (how often it runs) and a query period (how far back it looks).
- Supports full KQL:
summarize,join,union, multi-table logic. - Supports event grouping (single alert per rule run vs. an alert per row) and alert threshold (trigger only when result count crosses a number).
- Has a built-in lookback so it can aggregate over time windows.
Near-Real-Time (NRT) Rules
- Run approximately once per minute to minimize detection latency.
- Query one table only and cannot use most aggregation across rows or time-window lookback joins.
- Ideal for high-priority single-event detections — for example, a specific high-risk sign-in or a known malicious command line.
// Example scheduled-rule logic: brute force then success
SigninLogs
| where TimeGenerated > ago(1h)
| summarize Failures = countif(ResultType != 0),
Successes = countif(ResultType == 0)
by UserPrincipalName, IPAddress
| where Failures >= 10 and Successes >= 1
If a scenario needs aggregation, joins, or a time window, choose scheduled. If it needs the lowest possible latency on a single table with no aggregation, choose NRT.
Anomaly, Fusion, and Threat Intelligence Rules
Anomaly Rules
Anomaly rules use Microsoft-built machine learning templates that establish behavioral baselines (for example, anomalous Resource Manager operations or rare process execution). You can duplicate a template, run it in flighting mode to observe results before promoting it to production, and tune its thresholds without writing the model.
Fusion
Fusion is Sentinel's built-in multistage-attack detection. It uses scalable machine learning to correlate many low-fidelity alerts and anomalous activities across products into a small number of high-confidence incidents (for example, credential access followed by lateral movement and data exfiltration). Fusion is enabled as a single Microsoft security analytics rule; you do not author its logic.
Threat Intelligence Rules
Threat intelligence analytics rules match ingested logs against threat indicators (IPs, domains, hashes, URLs) brought in through the Threat Intelligence connector or the TI upload API. A match generates an alert enriched with the indicator context.
| Rule | You write the logic? | Output |
|---|---|---|
| Anomaly | No (tune thresholds) | Behavioral anomaly alerts |
| Fusion | No | Correlated multistage incidents |
| Threat intelligence | No (built-in match) | Indicator-match alerts |
Rule Tuning and False-Positive Reduction
Tuning is explicitly in scope for SC-200. The goal is to cut false positives without creating false negatives.
Tuning Levers
- Query refinement — add
wherefilters, exclude known-good accounts/service principals, orjoinagainst a watchlist of approved assets. - Alert threshold — only trigger when results exceed a count (for example,
>= 10failed logons). - Event grouping — group all matched events into a single alert, or alert per event, to control noise.
- Suppression / Stop running query after alert — suppress the rule for a defined duration after it fires to avoid alert storms.
- Automated tuning feedback — Sentinel surfaces anomalies and tuning recommendations; analysts can mark alerts as benign to feed tuning.
Incident Settings on the Rule
Each scheduled/NRT rule also controls incident creation, alert grouping into incidents (group related alerts within a time window, by entities or by selected details), and entity mapping. Correct entity mapping is what makes investigation graphs and automation work.
MITRE ATT&CK Mapping and the Content Hub
MITRE ATT&CK Mapping
Every analytics rule can be tagged with MITRE ATT&CK tactics (the why, such as Initial Access, Lateral Movement) and techniques/sub-techniques (the how, such as T1078 Valid Accounts). The Sentinel MITRE ATT&CK blade visualizes simulated and active coverage so the SOC can find detection gaps. SC-200 scenarios ask you to improve coverage of a specific tactic by enabling or authoring rules tagged to that technique.
Content Hub and Solutions
The Content hub is the in-product marketplace for solutions — packaged bundles that can include data connectors, analytics rule templates, hunting queries, workbooks, playbooks, and parsers for a given product (for example, the Microsoft Entra ID or Palo Alto solution).
- Install a solution to deploy its content as a unit; rule templates then appear under Analytics for you to create active rules from.
- Solutions are versioned and can be updated centrally from the Content hub.
- This replaces piecemeal manual rule creation and is the expected answer when a scenario says "quickly deploy vendor detection content."
Watchlists
Watchlists are reference datasets (CSV-imported or built from logs) — for example, a list of VIP accounts, approved admin workstations, or a terminated-employee list. They are referenced in KQL with the _GetWatchlist() function and joined into analytics and hunting rules for enrichment or allow/deny logic. Large watchlists can be promoted to a watchlist table for performant joins.
A detection must alert within about one minute of a single specific high-risk event appearing in one table, with no aggregation or joins. Which analytics rule type is most appropriate?
Which statement correctly describes Microsoft Sentinel Fusion?
A SOC wants to rapidly deploy a vendor's full set of connectors, analytics rule templates, hunting queries, and workbooks as one versioned package. What should they use?