Sign In

Module 1: Detection Rule Architecture in Microsoft Sentinel

2-3 hours · Free tier

DE0 established why detection engineering matters. This module teaches how the detection engine works.

Every production detection rule you build in DE3 through DE8 is deployed as either a Sentinel analytics rule or a Defender XDR custom detection. If you do not understand the architecture of these mechanisms — how query frequency affects detection latency, how lookback windows interact with event deduplication, how entity mapping enables incident correlation, how trigger thresholds determine when an alert fires — you will build rules that are technically correct but operationally broken. A query that returns the right results in Advanced Hunting does not automatically become a good analytics rule. The architecture decisions around that query determine whether the rule detects threats reliably or generates noise that degrades your SOC.

This module covers every configurable field in a Sentinel analytics rule, explains the operational impact of each choice, demonstrates common architectural mistakes, and introduces the rule specification template that every detection rule in this course starts with. By the end, you will be able to read any analytics rule configuration and predict its operational behavior — detection latency, alert volume, false positive patterns, and correlation capability.

Module structure

  • DE1.1 Sentinel Analytics Rule Types
  • DE1.2 Scheduled Rules — Query and Lookback Window
  • DE1.3 Scheduled Rules — Frequency and Trigger Logic
  • DE1.4 Entity Mapping and Alert Enrichment
  • DE1.5 Severity Classification and MITRE ATT&CK Mapping
  • DE1.6 NRT Rules — When Seconds Matter
  • DE1.7 Anomaly Rules and Fusion
  • DE1.8 Defender XDR Custom Detections
  • DE1.9 Alert Grouping and Incident Creation
  • DE1.10 Automation Rules and Response Integration
  • DE1.11 The Rule Specification Template
  • DE1.12 Common Architecture Mistakes and Anti-Patterns
  • Summary Module recap and artifact inventory
  • Check My Knowledge Scenario-based assessment

Prerequisites

Complete DE0 (The Detection Gap). You need to understand why detection rules matter before learning how they work. KQL proficiency is assumed — you can write queries with where, summarize, join, and let. If you need KQL foundations, complete the Mastering KQL course first.

Sections in this module

DE1.1 Sentinel Analytics Rule Types

DE1.2 Scheduled Rules — Query and Lookback Window

DE1.3 Scheduled Rules — Frequency and Trigger Logic

DE1.4 Entity Mapping and Alert Enrichment

DE1.5 Severity Classification and MITRE ATT&CK Mapping

DE1.6 NRT Rules — When Seconds Matter

DE1.7 Anomaly Rules and Fusion

DE1.8 Defender XDR Custom Detections

DE1.9 Alert Grouping and Incident Creation

DE1.10 Automation Rules and Response Integration

DE1.11 The Rule Specification Template

DE1.12 Common Architecture Mistakes and Anti-Patterns

DE1.13 Module Summary

DE1.14 Check My Knowledge

Start: DE1.1 Sentinel Analytics Rule Types →