Shortcut Way to Enable Azure Sentinel Analytics Rules

One of the things we’re not quite clear about in our documentation is that enabling Analytics Rules is part of the overall setup of Azure Sentinel. I can’t count the number of times I have worked with customers who have stood-up Azure Sentinel and enabled the Data Connectors they want, but then are left scratching their heads for what’s next. Enabling Analytics Rules is the next step and really should be part of the Data Connector enablement.

We’ve done a much better job recently by providing the ability to enable associated Analytics Rules within the Data Connectors pages themselves on the “Next Steps” tab (as shown below).

Analytics Rules on the Next Steps tab of the Data Connector page

However, it’s still a tedious task to enable all applicable Analytics Rules. Even though we’ve added the “Create Rule” action button on the page, you still have to click through each provided Analytics Rule, which can take time. The Office 365 connector, for example, currently has 18 applicable Analytics Rules which can seem like a lifetime to ensure each is enabled. My hope is that eventually we’ll provide the ability to multi-select Analytics Rules and click one “Enable Rule(s)” action button to kick off the process. But, for now, you still have to enable each rule individually – which means being presented with the enablement step-through wizard.

Analytics Rule Wizard

The ability to click-through the Wizard steps allows you to adjust the logic, schedule, threshold, noise, etc. for the Analytics Rule. You should definitely go back through the Wizard for each Analytics Rule over time to adjust it to better first your organization’s security personality, but, truthfully, just enabling the Analytics Rule is the key to finalizing setup and causing Azure Sentinel to begin engaging, analyzing, and alerting on the data you are ingesting.

To do this, you don’t have to run through the entire Wizard. To simply enable the rule, skip to the end by the clicking directly on the Review and Create step and choosing Create. Once enabled, the UI will direct you back to the list of other applicable Analytics Rules so you can shortcut the process for each one.

Jump to the end

Not as quick as it would be if multi-select and enable was an option, but definitely a lot quicker than stepping through the Wizard each time.

Authors