What’s new: Monitor and optimize the execution of your scheduled analytics rules

Recently, we announced new capabilities to help Monitor the health and audit the integrity of your analytics rules. With Analytics Health Monitoring, organizations can get insights into the health, rule running details and status of each analytics rule execution. This includes information on whether the execution succeeded or failed, along with the reason for any failures. You might be wondering what to do if you encounter a failed execution and want to re-run it within a specific window for validation after fixing it. We now offer an easy solution for this scenario.

We are pleased to announce the new Execution Management feature for scheduled Analytics rules. This feature provides a seamless experience for re-running scheduled rules on-demand , facilitating testing and scenarios. It allows the security team, working with analytics rules, to access execution details for scheduled rules and validate the results of these executions.

Overview

The Execution Management for scheduled Analytics rules offers two new capabilities – built-in schedule rule insights and re-run scheduled rules on-demand.

The Analytics rule Insights panel provides further information related to a rule, such as failed executions, top health issues, the count of alert over time and the closed classification of the incidents triggered by the rule. These insights assist security analysts in identifying potential issues or misconfigurations with analytics rules, rule failures, and optimizing rule configurations for improved performance and accuracy.

The ability to re-run analytics rules on-demand in Microsoft Sentinel offers flexibility and control when validating rule effectiveness. This capability proves beneficial in various scenarios, including rule refinement, testing, validation, and more. The flexibility to initiate manual re-runs supports efficient security operations, enables effective incident response, and enhances the overall detection and response capabilities of the system.

Where to view Analytic rule insights:

  1. From the Microsoft Sentinel navigation menu, select Analytics.
  2. Locate and select a scheduled or NRT rule which you would like to view insights. Click on the Insights tab in the right panel.

JeremyTan_0-1688377509906.png

  1. Examine the following insights related to the selected rule. You can specify the time range of the insights using the time range dropdown list:

JeremyTan_1-1688377509918.png

Failed Execution: List of failed runs of the rule in the specified time frame.

Top health issues: List of the most common health issues associated with the rule during the specified time frame.

Alert graph: Chart displaying the number of alerts generated by the rule in the specified time frame.

Incident Classification: Summary of the incident classification resulting from the rule during the specified time frame.

re-run on-demand:

  1. First of all, analytics health data is required for re-run on-demand. If you have not enabled health monitoring, there is a one-click connect experience in the insights panel to configure health monitoring in your environment.

JeremyTan_2-1688377509922.png

  1. From the Microsoft Sentinel navigation menu, select Analytics.
  2. Locate and select a scheduled rule which you would like to run on-demand. Click on the Rule runs option at the top.

JeremyTan_3-1688377509937.png

  1. Locate and select a scheduled rule (NRT rule is not supported) that you would like to run on-demand. Click on the Rule runs option at the top.
  2. The run runs panel will display a list of execution details such as execution time and status. Select the execution that you would like to re-run and click on Replay run.

JeremyTan_4-1688377509957.png

Use cases and benefits of re-run:

Having the option to manually re-run analytics rules be beneficial in a few scenarios:

Rule refinement and tuning: Analytics rules may require periodic adjustments and fine-tuning based on the evolving threat landscape and changing organizational needs. By manually re-running rules, security teams can assess the impact of rule modifications and validate their effectiveness before deploying them in a production environment.

Testing and validation: When introducing new analytics rules, making significant changes to existing ones, or developing new incident playbooks, it is essential to thoroughly test their performance and accuracy. Manual re-running allows security teams to simulate different scenarios, including the end-to-end automated incident flow, and validate the rules against known patterns. This ensures that they generate the expected alerts without producing excessive false positives.

Incident investigation: In the event of a security incident or suspicious activity, security analysts may update a rule to surface additional details and need to re-run the on specific historical execution interval (up to last 7 days) to gather additional information and identify related events. Manual re-running allows analysts to perform in-depth investigations and helps ensure comprehensive coverage.

Compliance and auditing: Some regulatory requirements or internal policies may necessitate re-running analytics rules periodically or on-demand to demonstrate and compliance. Manual re-running provides the ability to meet such obligations by ensuring that rules are consistently applied and generating appropriate alerts.

Learn more:

More information can be found in the following documentation:

 

This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.