We are pleased to announce the new Execution Management feature for scheduled Analytics rules.

🔥🔥🔥HOT OFF THE PRESS🔥🔥🔥

We are pleased to announce the new Execution Management feature for scheduled Analytics rules. This feature provides a seamless experience for re-running scheduled rules on-demand, facilitating testing and troubleshooting scenarios. It allows the security team, working with analytics rules, to access execution details for scheduled rules and validate the results of these executions.

📌The Execution Management for scheduled Analytics rules offers two new capabilities – built-in schedule rule insights and re-run scheduled rules on-demand.

📌The Analytics rule Insights panel provides further information related to a rule, such as failed executions, top health issues, the count of alert over time and the closed classification of the incidents triggered by the rule.

📌The ability to re-run analytics rules on-demand in Microsoft Sentinel offers flexibility and control when validating rule effectiveness. This capability proves beneficial in various scenarios, including rule refinement, testing, validation, and more. 

📌Use cases and benefits of re-run:

🔹Having the option to manually re-run analytics rules be beneficial in a few scenarios:

🔹Rule refinement and tuning: Analytics rules may require periodic adjustments and fine-tuning based on the evolving threat landscape and changing organizational needs. By manually re-running rules, security teams can assess the impact of rule modifications and validate their effectiveness before deploying them in a production environment.

🔹Testing and validation: When introducing new analytics rules, making significant changes to existing ones, or developing new incident playbooks, it is essential to thoroughly test their performance and accuracy. Manual re-running allows security teams to simulate different scenarios, including the end-to-end automated incident flow, and validate the rules against known patterns. This ensures that they generate the expected alerts without producing excessive false positives.

🔹Incident investigation: In the event of a security incident or suspicious activity, security analysts may update a rule to surface additional details and need to re-run the on specific historical execution interval (up to last 7 days) to gather additional information and identify related events. Manual re-running allows analysts to perform in-depth investigations and helps ensure comprehensive coverage.

🔹Compliance and auditing: Some regulatory requirements or internal policies may necessitate re-running analytics rules periodically or on-demand to demonstrate continuous monitoring and compliance. Manual re-running provides the ability to meet such obligations by ensuring that rules are consistently applied and generating appropriate alerts.

Want to learn more? 💡

MS Docs: https://learn.microsoft.com/en-gb/azure/sentinel/monitor-optimize-analytics-rule-execution

Tech community: What’s new: Monitor and optimize the execution of your scheduled analytics rules - Microsoft Community Hub

#siem #xdr #mde #soc #microsoftsecurity #microsoftsentinel #microsoft #MSPartnerUK #security #msftadvocate