Deploy Your First 5 Detection Rules

45-60 minutes Modules: M10, M12

Objective

Deploy 5 KQL analytics rules from the M12 AiTM Detection Pack into your Sentinel workspace. By the end of this lab, you have 5 running detection rules with correct entity mapping, MITRE ATT&CK tagging, and alert grouping — production-ready rules, not test configurations.

Required: Microsoft Sentinel workspace with the Defender XDR connector enabled (Module 8). Security Contributor role.

Step 1: Download and review the detection pack

Download m12-aitm-detection-rules.kql from the Downloads page. Open it in a text editor. Each rule is separated by a comment block containing:

Rule name
Schedule type (NRT or scheduled with interval)
Severity
MITRE ATT&CK technique
Entity mapping specification
Alert grouping recommendation

Read the comment block for each of the first 5 rules before deploying. Understand what each rule detects and what data source it requires.

Navigate to: Sentinel → Analytics → Create → NRT rule.

General tab:

Name: AiTM — Phishing Click Then Suspicious Sign-In
Severity: High
MITRE ATT&CK: Initial Access → T1566.002 (Spearphishing Link)
Status: Enabled

Rule logic tab:

Paste the Rule 1 KQL from the detection pack
Entity mapping:
- Account → AccountUpn (FullName)
- IP → IPAddress (Address)
Alert grouping: Group alerts by Account entity (one incident per affected user)

Incident settings tab:

Create incidents from alerts: Yes

Automated response tab:

Leave empty for now (Module 10.6 covers playbook automation)

Click Create.

Step 3: Deploy Rules 2-5

Repeat the process for Rules 2-5 from the detection pack:

Rule	Type	Severity	MITRE	Key entities
2. Token Replay — Multi IP	Scheduled (5 min)	High	T1550.001	Account
3. Inbox Rule External Forward	Scheduled (5 min)	High	T1114.003	Account, IP
4. MFA Registration Non-Corp IP	Scheduled (15 min)	Medium	T1098.005	Account, IP
5. Mass Email Read Non-Corp IP	Scheduled (1 hr)	Medium	T1114.002	Account

For each rule: paste the KQL, configure entity mapping as specified, set the schedule and lookback from the comment block, and enable.

Step 4: Validate deployment

After deploying all 5 rules, verify they are running:

1
2
3
4
5
6
7
8
9
// Check: are all 5 rules active and processing?
SentinelHealth
| where TimeGenerated > ago(1h)
| where OperationName == "Scheduled Analytics Rules"
| extend RuleName = tostring(ExtendedProperties.RuleName)
| where RuleName has_any ("AiTM", "Token Replay", "Inbox Rule",
    "MFA Registration", "Mass Email")
| project TimeGenerated, RuleName, Status, Description
| order by TimeGenerated desc

Each rule should show Status = "Success" with a recent execution time. If any show Status = "Failure": check the KQL for syntax errors, verify the referenced tables are populated, and confirm the CorporateExternalIPs watchlist exists.

Step 5: Run each rule’s KQL manually against 30 days

Before relying on the rules for production detection, validate against historical data:

1
2
3
4
// Run each rule's KQL with ago(30d) to check for historical matches
// Replace the lookback period in each rule query with 30 days
// Review results: are there any true positives you missed?
// Are there false positives you need to tune?

For each rule, document:

Rule	Results (30d)	True Positives	False Positives	Tuning needed?
1. Click + Sign-in
2. Token Replay
3. Inbox Rule
4. MFA Registration
5. Mass Email Read

Step 6: Create the CorporateExternalIPs watchlist (if not exists)

Rules 1-5 all reference _GetWatchlist('CorporateExternalIPs'). If this watchlist does not exist, the rules will either fail or return excessive results (every external IP appears suspicious).

Navigate to: Sentinel → Watchlists → Create.

Name: CorporateExternalIPs
Alias: CorporateExternalIPs
SearchKey: SearchKey
Upload CSV with columns: SearchKey (one IP per row)

Include: office external IPs, VPN exit IPs, cloud proxy IPs, and any other IPs your users legitimately sign in from.

Verification

You have completed this lab when:

5 analytics rules are active in Sentinel (visible in Analytics → Active rules)
Each rule has correct entity mapping (verify in rule settings)
Each rule has MITRE ATT&CK technique assigned
The CorporateExternalIPs watchlist exists and is populated
Each rule has been validated against 30 days of historical data
Any false positives have been documented for future tuning

Congratulations: You now have 5 production detection rules running in your workspace. These rules will generate alerts if the AiTM attack patterns from Module 12 occur in your environment.

← All Labs