Creating Effective Security Rules in Microsoft Sentinel

The average Microsoft Sentinel installation is going to require a fairly large number of rules in order for the software to truly be able to sort through which request packets are legitimate and which could potentially damage the underlying installation. Since it can be difficult to tell the difference, it’s vital to configure a complete rule list before using any Azure container in a production environment. Anomaly rule templates are likely the place that most information technology department staffers are going to want to start creating a set of requirements.

Anomaly Detection Policy Settings

Sentinel comes with a template for anomaly detection that relies on machine learning in order to recognize specific cases of unusual behavior. Creating rules with unique sets of parameters using this template is quite easy, especially for those who already know what kinds of thresholds their network can tolerate is. Those who aren’t sure yet should set the maximum number of requests at a fairly low number and then increases it incrementally as they go along. Eventually, most technicians should be able to find a healthy medium. Duplicating anomaly rules can be a good idea for those who want to separate their set environments.

Fighting and Production Rules

Most of the time, a network is going to be running in production mode. All of the standard Sentinel rules will work as written during this time. Once it starts to look like a particular network is under attack, however, the software can switch over to a fighting mode that’s designed to stop network threats without taking down the entire system. Almost all of the rules defined as part of the fighting list should be duplicates of those used in production mode. The only thing that should be any different is the parameters, which are usually to be much more aggressive than they normally would be. Networks that are actively fighting off a threat can be excused if they have to reject some otherwise legitimate packets that appear malformed in some way

Creating Rules for Remote Access

A good rule of thumb is to disable as many remote access protocols as possible in order to reduce a system’s overall attack surface. As well as rules inside of Sentinel, it probably makes sense to turn off any relevant settings from inside of whatever operating system gets deployed inside of an Azure container. Few people are going to need to use Telnet to access a management dashboard on modern system software, after all. Those who want to maintain their containers over a network should look into running a managed Microsoft Sentinel instance, which comes with the support of professional experts who can often spot problems before they balloon into something more series.

Building a Machine Learning Profile

Since Microsoft Sentinel is based around several artificial intelligence-powered engines, it needs time to properly adjust to whatever network it finds itself running on. Creating a proper training profile will help to dramatically reduce the amount of time this acclamation period takes. Training data permissions are configured in much the same way as any other file access permissions would be, so it’s important to give the engine sufficient liberty to look over requests and figure out which ones are anomalous.

Consider what kind of traffic comes through a network switch at different times of the day. If a huge flow of data suddenly starts flooding a router, then there’s an obvious problem. As long as technicians are careful to make note of this in the log, the initial training period shouldn’t last much longer than a few days.

Related Articles