Deploy Your First SOC Detection Rules
Objective
Deploy 3 KQL analytics rules from Module 3 (Building Identity & Access Detections) into your Sentinel workspace: DET-SOC-001 (anomalous sign-in), DET-SOC-002 (MFA fatigue), and DET-SOC-007 (distributed password spray). By the end of this lab, you have 3 running detection rules with correct entity mapping, MITRE ATT&CK tagging, and alert grouping.
Required: Microsoft Sentinel workspace with the Entra ID sign-in logs connector enabled (SigninLogs table populated). Security Contributor role on the workspace.
Step 1: Review the detection rule specifications
Before deploying any rule, review its specification from Module 3. For each of the 3 rules, confirm you understand:
- What it detects — the specific adversary technique
- Which table and fields it queries — SigninLogs with specific field filters
- The scheduling parameters — frequency, lookback window, NRT vs scheduled
- The entity mapping — which fields map to Account, IP, and Host entities
- The MITRE ATT&CK technique — the specific technique ID
If the KQL query includes a function or operator you cannot explain, go back to the relevant Module 3 subsection and read the line-by-line annotation. A deployed rule you do not understand is a rule you cannot triage, tune, or troubleshoot.
Step 2: Deploy DET-SOC-001 — Anomalous Sign-In from Unfamiliar Infrastructure
Navigate to: Sentinel → Analytics → Create → Scheduled query rule
General tab:
| Field | Value |
|---|---|
| Name | DET-SOC-001: Anomalous sign-in from unfamiliar infrastructure |
| Description | Detects successful sign-ins from ASNs not seen in the user’s 14-day baseline. Targets hosting provider and VPN service infrastructure. |
| Severity | Medium |
| MITRE ATT&CK | Initial Access → T1078.004 (Cloud Accounts) |
| Status | Enabled |
Set rule logic tab:
Paste the KQL query from Module 3, subsection 3.2. Ensure the watchlist references (CorporateIPRanges, TrustedMobileASNs) exist in your workspace. If they do not exist yet, create empty watchlists with those names — you will populate them in Step 5.
Query scheduling:
| Field | Value |
|---|---|
| Run query every | 5 minutes |
| Lookup data from the last | 1 hour |
Alert threshold: Generate alert when number of query results is greater than 0.
Entity mapping:
| Entity type | Identifier | Field |
|---|---|---|
| Account | FullName | UserPrincipalName |
| IP | Address | IPAddress |
Incident settings:
| Field | Value |
|---|---|
| Create incidents | Enabled |
| Alert grouping | Group alerts into a single incident if the Account entity matches (within 24 hours) |
Click Review + create → Create.
Step 3: Deploy DET-SOC-002 — MFA Fatigue Detection
Follow the same process with the MFA fatigue query from Module 3, subsection 3.3.
Key differences from DET-SOC-001:
| Field | Value |
|---|---|
| Severity | High |
| MITRE ATT&CK | Credential Access → T1621 (MFA Request Generation) |
| Run query every | 5 minutes |
| Lookup data from the last | 30 minutes |
Entity mapping: Account (UserPrincipalName) + IP (SuccessIP).
Step 4: Deploy DET-SOC-007 — Distributed Password Spray
Follow the same process with the password spray query from Module 3, subsection 3.8.
Key differences:
| Field | Value |
|---|---|
| Severity | Medium |
| MITRE ATT&CK | Credential Access → T1110.003 (Password Spraying) |
| Run query every | 15 minutes |
| Lookup data from the last | 1 hour |
Entity mapping: IP (Address) — the primary entity for password spray is the source IP, not the individual accounts (which may number in the hundreds).
Step 5: Create supporting watchlists
If you have not already, create the watchlists referenced by the rules:
CorporateIPRanges:
Navigate to: Sentinel → Watchlist → Add new
| Field | Value |
|---|---|
| Name | CorporateIPRanges |
| Alias | CorporateIPRanges |
| Source type | Local file (CSV) |
Upload a CSV with your corporate egress IP ranges:
| |
TrustedMobileASNs:
Same process. Upload a CSV with the ASN numbers for mobile carriers your users commonly connect from.
Step 6: Validate deployment
After the first query cycle (5-15 minutes depending on the rule), verify each rule is running:
Navigate to: Sentinel → Analytics → Active rules
For each deployed rule, confirm:
- Status is Enabled
- Last run shows a timestamp within the last 15 minutes
- Last run result shows Success (even if zero results — the query ran without error)
Validation query — confirm the rules are executing:
| |
If any rule shows a failed execution, check the query for syntax errors or missing table/watchlist references.
Step 7: Test with a controlled scenario (optional)
If your lab environment has test users, generate a sign-in from an unfamiliar IP (use a mobile phone on cellular data, not office WiFi) and check whether DET-SOC-001 generates an alert within the next query cycle. This validates the end-to-end pipeline: sign-in → log ingestion → query execution → alert → incident.
Verification checklist
- 3 analytics rules deployed and enabled
- All rules show successful execution in the last 15 minutes
- Entity mapping configured for each rule
- MITRE ATT&CK tagging applied to each rule
- Alert grouping configured by Account entity
- CorporateIPRanges and TrustedMobileASNs watchlists created
- (Optional) Test scenario generated an alert
After validating these 3 rules, continue deploying the remaining 4 identity rules from Module 3 (DET-SOC-003 through DET-SOC-006) using the same process. Then move to Module 4 email rules and Module 5 endpoint rules. Lab 05 covers deploying the email detection rules.