Query Details

Analytics Rules Efficiency

Query

let TimeRange = 30d;
SecurityIncident
| where TimeGenerated > ago(TimeRange)
// Collect last argumtent of incident
| summarize arg_max(TimeGenerated, *) by IncidentNumber
// Filter only on Analytics rules in Sentinel
| where RelatedAnalyticRuleIds != "[]"
// Only filter on closed incidents.
| where isnotempty(Classification)
| summarize
     TotalIncidentsTriggered = count(),
     TotalUndetermined = countif(Classification == "Undetermined"),
     TotalBenignPositive = countif(Classification == "BenignPositive"),
     TotalTruePositive = countif(Classification == "TruePositive"),
     TotalFalsePositive = countif(Classification == "FalsePositive")
     by tostring(RelatedAnalyticRuleIds), Title
// Sort by incidents that do not trigger malicious activities
| sort by TotalFalsePositive, TotalIncidentsTriggered

About this query

Analytics Rules Efficiency

Query Information

Description

This query is aimed to improve the false positive ratio you have in Sentinel. The query list all analytics rules that have triggered the most in the selected TimeRange. These analytics rules can either be enabled ones from a template, or custom created detections. For each analytics rule the following stats are collected:

  • TotalIncidentsTriggered
  • TotalUndetermined
  • TotalBenignPositive
  • TotalTruePositive
  • TotalFalsePositive

Those stats can indicate the efficiency of a detection rule. Rules that trigger a lot of false positives or benign positives may need to be tweaked. Rules that trigger a lot of undetermined classifications may be worth adding more context to the alert or change the description or tasks to improve the reponse on this incident, to be able to classify it next time.

Also take a look at the Analytics Efficienty Workbook that is avialable on the Analytics page in Sentinel.

Sentinel

Explanation

This query is designed to evaluate the efficiency of analytics rules in Microsoft Sentinel by analyzing incidents triggered over the past 30 days. It focuses on identifying which rules are generating the most incidents and classifying them based on their outcomes. Here's a simple breakdown of what the query does:

  1. Time Range: It looks at incidents from the last 30 days.

  2. Incident Filtering:

    • It selects the most recent entry for each incident.
    • It only considers incidents triggered by analytics rules in Sentinel.
    • It focuses on incidents that have been closed and classified.
  3. Classification of Incidents:

    • It counts the total number of incidents triggered by each rule.
    • It categorizes these incidents into four types:
      • Undetermined: Incidents that couldn't be classified clearly.
      • Benign Positive: Incidents that were not harmful but triggered an alert.
      • True Positive: Incidents that correctly identified a threat.
      • False Positive: Incidents that incorrectly identified a threat.
  4. Efficiency Insight:

    • The query helps identify rules that may need adjustment by highlighting those with high false positives or benign positives.
    • It suggests that rules with many undetermined incidents might benefit from additional context or clearer descriptions to improve future incident classification.
  5. Sorting:

    • The results are sorted to prioritize rules with the most false positives, helping to quickly identify which rules might need attention.

Overall, this query helps security teams optimize their detection rules by providing insights into which rules are generating the most noise and which are effectively identifying true threats.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

SecurityIncident

Keywords

AnalyticsRulesSentinelSecurityIncidentClassificationIncidentsTimeGenerated

Operators

letwhereagosummarizearg_maxisnotemptycountcountiftostringsort

Actions

GitHub