Task 1.2: Understand Detection Modeling

You will perform no actions in this exercise. These instructions are only an explanation of the attacks you will perform in the next exercise. Please read this page carefully.

The attack-detect configuration cycle used in this lab represents all data sources even though you are only focused on two specific data sources.

To build a detection, you first start with building a KQL statement. Since you’ll attack a host, you’ll have representative data to start building the KQL statement.

After you have the KQL statement, you create the analytics rule.

Once the rule triggers and creates the alerts and incidents, you then investigate to decide if you’re providing fields that help Security Operations Analysts in their investigation.

Next, you’ll make other changes to the analytics rule.

Some alerts will be triggered in a shorter time-frame just for our lab purpose.