Deploy Endpoint & Cloud Detection Rules

60-90 minutes Modules: Module 5, Module 6

Objective

Deploy 6 detection rules from Modules 5 and 6 covering endpoint and cloud attack techniques. These rules complete the detection library across all four domains (identity, email, endpoint, cloud).

Required: Sentinel workspace with DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, AuditLogs, and AzureActivity tables populated. Defender for Endpoint onboarded devices.

Step 1: Verify endpoint data sources

1
2
3
4
5
6
7
8
union isfuzzy=true
    (DeviceProcessEvents | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="ProcessEvents"),
    (DeviceNetworkEvents | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="NetworkEvents"),
    (DeviceFileEvents | where TimeGenerated > ago(1h) 
        | summarize Count=count() | extend Table="FileEvents")
| project Table, Count

All three tables must show data. If any shows zero, the Defender for Endpoint data connector needs configuration.

Step 2: Deploy endpoint detection rules

DET-SOC-015 — LOLBin Execution

Field	Value
Name	DET-SOC-015: LOLBin execution with suspicious process chain
Severity	Medium
MITRE ATT&CK	Execution → T1218 (System Binary Proxy Execution)
Schedule	Every 5 minutes, 1-hour lookback
Entity mapping	Account: AccountName, Host: DeviceName

Deploy the query from Module 5, subsection 5.2. This is the highest-volume endpoint rule — expect legitimate LOLBin activity from management tools during the first week.

DET-SOC-016 — Credential Dumping (LSASS)

Field	Value
Name	DET-SOC-016: Credential access — LSASS memory dump attempt
Severity	High
MITRE ATT&CK	Credential Access → T1003.001 (LSASS Memory)
Schedule	Every 5 minutes, 1-hour lookback

DET-SOC-019 — Ransomware Pre-Encryption

Field	Value
Name	DET-SOC-019: Ransomware pre-encryption indicators
Severity	Critical
MITRE ATT&CK	Impact → T1490 (Inhibit System Recovery)
Schedule	NRT (near-real-time)

This is an NRT rule — it evaluates continuously rather than on a schedule. Ransomware pre-encryption (VSS deletion, recovery disablement) requires the fastest possible detection-to-alert time.

Step 3: Deploy cloud detection rules

Prerequisite: Create the ApprovedOAuthApplications watchlist. Run the application discovery query from Module 6, subsection 6.2, to build your initial approved list.

Field	Value
Name	DET-SOC-022: OAuth consent grant for high-privilege application
Severity	High
MITRE ATT&CK	Persistence → T1098.003 (Additional Cloud Credentials)
Schedule	Every 5 minutes, 1-hour lookback

DET-SOC-024 — Azure Resource Manipulation

Field	Value
Name	DET-SOC-024: High-risk Azure resource creation or modification
Severity	High
MITRE ATT&CK	Resource Development → T1583 (Acquire Infrastructure)
Schedule	Every 15 minutes, 1-hour lookback

DET-SOC-028 — Token Replay

Field	Value
Name	DET-SOC-028: Cloud session token used from multiple IP addresses
Severity	High
MITRE ATT&CK	Credential Access → T1528 (Steal Application Access Token)
Schedule	Every 5 minutes, 1-hour lookback

Step 4: Validate all 6 rules

1
2
3
4
5
6
SentinelAudit
| where TimeGenerated > ago(1h)
| where Description has_any ("DET-SOC-015", "DET-SOC-016", "DET-SOC-019",
    "DET-SOC-022", "DET-SOC-024", "DET-SOC-028")
| project TimeGenerated, Description, Status
| sort by TimeGenerated desc

All 6 should show “Success.”

Step 5: Assess your total detection coverage

With Labs 04, 05, and 08 complete, count your active detection rules:

1
2
3
4
5
SentinelAudit
| where TimeGenerated > ago(1h)
| where Description has "DET-SOC"
| distinct Description
| count

If you deployed all recommended rules from Labs 04, 05, and 08, you should have 13+ active rules across 4 domains.

Verification checklist

Endpoint data sources verified (3 Device tables populated)
3 endpoint rules deployed: DET-SOC-015, 016, 019
3 cloud rules deployed: DET-SOC-022, 024, 028
ApprovedOAuthApplications watchlist created
All 6 rules executing successfully
NRT rule (DET-SOC-019) configured correctly
Total active detection rule count verified

← All Labs