Sign In

DE0.6 The Microsoft Detection Surface

2-3 hours · Module 0 · Free
Operational Objective
The Platform Advantage: Detection engineering is vendor-agnostic as a discipline. The lifecycle, the methodology, the testing — all transfer across platforms. But the implementation is profoundly platform-specific. This subsection maps the Microsoft detection surface: KQL as the query language, Sentinel analytics rules as the detection engine, Defender XDR custom detections as the endpoint/identity layer, and the unified data model that makes cross-source correlation possible without data engineering. If you run a Microsoft security stack, you have a detection surface that most organizations underutilize by an order of magnitude.
Deliverable: A map of the Microsoft detection surface — what you can detect, where the data lives, and which detection mechanism (Sentinel analytics, Defender custom detection, automation rule) applies to each scenario.
⏱ Estimated completion: 20 minutes

Why the Microsoft stack is different

Most detection engineering courses teach a fragmented model: endpoint data in one tool, identity data in another, email data in a third, cloud activity in a fourth. The detection engineer writes rules in multiple query languages against multiple data stores and manually correlates across systems.

The Microsoft security stack consolidates this. Every major telemetry source — endpoint process execution, email metadata, identity authentication, cloud application activity, on-premises Active Directory, firewall logs (via CEF/Syslog), and custom application logs — lands in a single queryable surface. KQL queries span all of it. A single Sentinel analytics rule can join SigninLogs (identity) with EmailEvents (email) with DeviceProcessEvents (endpoint) in one query. That cross-source join — “show me users who had a risky sign-in AND received a phishing email AND then ran an encoded PowerShell command on their endpoint within 60 minutes” — is the detection power that catches multi-phase attacks.

This is not theoretical. The CHAIN-HARVEST detection rule for Phase 5 (BEC from compromised account) requires exactly this: join SigninLogs (identity risk on the sender) with EmailEvents (internal email with financial keywords to executive recipients). That join is one KQL query. In a fragmented stack, it requires exporting data from two separate tools and correlating in a spreadsheet — or building a custom integration pipeline. In the Microsoft stack, it is a join operator.

THE MICROSOFT DETECTION SURFACEENDPOINTDeviceProcessEventsDeviceNetworkEventsDeviceFileEventsDeviceLogonEventsDeviceRegistryEventsDefender for Endpoint P2IDENTITYSigninLogsAADNonInteractiveUser...AuditLogsIdentityLogonEventsIdentityDirectoryEventsEntra ID P2 + Defender for IdentityEMAIL + COLLABEmailEventsEmailUrlInfoEmailAttachmentInfoOfficeActivityCloudAppEventsMDO P2 + MCAS + PurviewINFRASTRUCTURECommonSecurityLogSyslogWindowsEventAzureActivityCustom_CL tablesAMA + CEF + Custom connectorsUNIFIED KQL QUERY SURFACEOne language · One join · Cross-source correlationSENTINEL ANALYTICS RULESScheduled · NRT · Anomaly · Microsoft SecurityDEFENDER XDR CUSTOM DETECTIONSEndpoint-focused · Hourly to 24h frequencyALERTS → INCIDENTS → SOC TRIAGE

Figure DE0.4 — The Microsoft detection surface. Four telemetry domains feed into a unified KQL query surface. Detection rules deploy through two mechanisms: Sentinel analytics rules and Defender XDR custom detections.

KQL: the detection language

KQL is not just a query language — it is the detection language for the Microsoft security stack. Every analytics rule in Sentinel, every custom detection in Defender XDR, every hunt query in Advanced Hunting, and every workbook visualization is written in KQL. Learning KQL once applies everywhere.

For detection engineering specifically, KQL provides capabilities that most SIEM query languages lack. The join operator correlates across tables (identity + email + endpoint in one query). The make-series operator creates time-series baselines for anomaly detection. The arg_max and arg_min functions extract the most recent or earliest event per entity. The bag_unpack and parse_json functions handle the nested JSON structures common in Microsoft telemetry. The materialize function optimizes complex queries that reference the same filtered dataset multiple times.

This course assumes KQL proficiency. You need to write where, summarize, join, let, extend, project, and time-windowed aggregations without reference material. If you need to build that proficiency first, our Mastering KQL course provides the foundation. If you can write a multi-table join with time-windowed correlation and entity extraction, you are ready to build detection rules.

Two detection mechanisms

The Microsoft stack provides two mechanisms for deploying detection rules: Sentinel analytics rules and Defender XDR custom detections. They serve different purposes and the detection engineer uses both.

Sentinel analytics rules are the primary detection mechanism for this course. They run KQL queries against the Sentinel workspace on a configurable schedule (every 5 minutes to every 24 hours) or in near-real-time (NRT, every 1 minute). They can query any table in the workspace — Microsoft telemetry, third-party logs, custom tables. They produce alerts that are grouped into incidents and assigned to the SOC. They support entity mapping, MITRE ATT&CK tagging, and automation rules for response. The detection engineer’s core output is Sentinel analytics rules.

Defender XDR custom detections run KQL against the Advanced Hunting schema specifically — the Device, Email, Identity, and CloudApp tables. They run on fixed schedules (every 1, 3, 12, or 24 hours). They are best suited for endpoint-specific detections where the response action is Defender-native: isolate device, quarantine file, block URL, disable user. They cannot query third-party data (CommonSecurityLog, Syslog, custom tables). Use them when the detection and response are both in the Defender ecosystem.

When to use which: If the detection requires third-party data (firewall logs, Linux syslog, custom application logs) — Sentinel. If the detection requires near-real-time response (NRT rule at 1-minute cadence) — Sentinel. If the detection and response are both endpoint-native (detect process, isolate device) — Defender custom detection is faster to deploy. If the detection requires cross-source correlation (identity + email + endpoint) — Sentinel, because it can join all sources in one query. This course builds primarily in Sentinel with Defender custom detections noted where they offer an advantage.

⚠ Compliance Myth: "Defender XDR already detects everything — we do not need custom Sentinel rules"

The myth: Microsoft Defender XDR includes built-in detection capabilities (Fusion, behavioral analytics, threat intelligence matching). If Defender is licensed and configured, the built-in detections handle threat detection and Sentinel analytics rules are only needed for third-party data.

The reality: Defender XDR’s built-in detections are excellent for known attack patterns that Microsoft’s threat intelligence team has characterized. They are general-purpose. They do not know that your organization’s crown jewels are on 4 RHEL servers in Bristol, that your field engineers fly between sites 3 times per week (making impossible travel rules useless without tuning), or that your ERP system on Server 2016 still accepts legacy authentication. Custom Sentinel analytics rules add the environmental specificity that built-in detections cannot provide. The built-in detections handle the broad threat landscape. Your custom rules handle the threats specific to your organization.

The unified data model advantage

The single most valuable property of the Microsoft detection surface is the unified data model. Every Defender product writes to tables that share common entity fields: AccountUpn, DeviceName, IPAddress, Url, FileName. When you build a detection rule that joins SigninLogs with DeviceProcessEvents, the AccountUpn field in both tables refers to the same entity. No field mapping. No data normalization. No ETL pipeline.

In a heterogeneous environment (Splunk for SIEM, CrowdStrike for EDR, Okta for identity), building a cross-source detection rule requires: extracting the username from CrowdStrike’s process telemetry (field name: UserName), extracting the username from Okta’s sign-in events (field name: actor.alternateId), normalizing both to a common format, and joining on the normalized field. That normalization is a detection engineering tax that every cross-source rule must pay.

In the Microsoft stack, the tax is zero. SigninLogs | join DeviceProcessEvents on AccountObjectId works immediately. The entity is the same across all tables. This is not a minor convenience — it is a structural advantage that makes cross-source detection rules practical to build and maintain. The detection engineer spends their time on the detection logic, not on data engineering.

Try it yourself

Exercise: Map your data sources

Open your Sentinel workspace. Navigate to Logs. Run: search * | summarize count() by $table | sort by count_ desc | take 30. This shows every table with data and its volume. Which of the four telemetry domains (endpoint, identity, email, infrastructure) are represented? Which are missing?

Missing domains are detection blind spots — you cannot detect what you cannot see. DE0.6 maps Northgate Engineering's complete data source inventory and identifies the gaps.

Check your understanding

You need to build a detection rule that fires when a user with a risky sign-in (from SigninLogs) sends an email with financial keywords (from EmailEvents) to an executive recipient within 60 minutes of the risky sign-in. Should you build this as a Sentinel analytics rule or a Defender XDR custom detection?

Answer: Sentinel analytics rule. The detection requires a cross-source join between SigninLogs (identity) and EmailEvents (email) with a time-windowed correlation. While both tables are available in Advanced Hunting (and therefore technically queryable by a Defender custom detection), the scheduled cadence flexibility and automation rule integration in Sentinel make it the better deployment target. Additionally, this rule benefits from Sentinel's NRT capability if the organization wants near-real-time BEC detection.

Troubleshooting: Common platform questions

“We have Sentinel but not all Defender products. Can we still do detection engineering?” Yes. Detection engineering works with whatever data sources are connected to your workspace. If you have Defender for Endpoint and Entra ID but not Defender for Office 365, you build endpoint and identity detection rules. Your email detection coverage will be limited to what you can extract from OfficeActivity (audit logs) rather than EmailEvents (full email metadata). The methodology is the same — the data sources constrain which techniques you can detect, not whether you can do detection engineering.

“We use Defender XDR but not Sentinel. Can we still take this course?” Partially. Defender XDR Advanced Hunting provides the query surface for building and testing detection rules, and custom detections provide a deployment mechanism. You lose Sentinel-specific capabilities: NRT rules, third-party data correlation, automation rules with Logic Apps playbooks, and workbook-based coverage reporting. The core detection engineering methodology still applies, but DE9 (testing), DE10 (detection-as-code), and DE11 (capstone) are built for Sentinel deployment.

“Our Sentinel ingestion is expensive. Adding more rules will increase cost.” Analytics rules query existing data — they do not ingest new data. Running a KQL query against SigninLogs that is already in your workspace costs zero additional ingestion. The cost increase comes from connecting NEW data sources (if your coverage assessment reveals gaps in telemetry), not from building rules against existing data. Detection engineering is one of the highest-ROI activities in security operations precisely because it extracts more value from data you already pay to ingest.

📋 Operational Artifact — Detection Surface Inventory

Sentinel workspace: [workspace name]

Endpoint telemetry: DeviceProcessEvents [Y/N], DeviceNetworkEvents [Y/N], DeviceFileEvents [Y/N], DeviceLogonEvents [Y/N], DeviceRegistryEvents [Y/N]

Identity telemetry: SigninLogs [Y/N], AADNonInteractiveUserSignInLogs [Y/N], AuditLogs [Y/N], IdentityLogonEvents [Y/N], IdentityDirectoryEvents [Y/N]

Email telemetry: EmailEvents [Y/N], EmailUrlInfo [Y/N], EmailAttachmentInfo [Y/N], OfficeActivity [Y/N]

Cloud app telemetry: CloudAppEvents [Y/N]

Infrastructure telemetry: CommonSecurityLog [Y/N], Syslog [Y/N], WindowsEvent [Y/N]

Detection mechanisms available: Sentinel analytics (scheduled) [Y/N], Sentinel NRT [Y/N], Defender custom detections [Y/N]

Missing telemetry domains: ___

References used in this subsection

  • Course cross-references: DE1 (Sentinel analytics rule architecture), DE3-DE8 (rule building across all domains), Mastering KQL course (KQL proficiency prerequisite)

The Microsoft detection surface: data source inventory

1
2
3
4
5
6
7
8

// DATA SOURCE INVENTORY: What tables are ingesting data and at what volume?
Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize DailyGB = round(sum(Quantity) / 1024, 2) by DataType
| sort by DailyGB desc
// This shows your ACTUAL data surface  every table with data is a potential detection source
// Tables with 0 volume are connected but not receiving events (investigate)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of Detection Engineering

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← DE0.5 Why Vendor Detection Is Not Enough DE0.7 The Data You Already Have →