Effective December 14, 2023, the integration between Microsoft Azure Sentinel and Nebula has reached its End of Maintenance (EOM). While the integration remains available for use, we would like to inform you that it will no longer receive updates. We encourage you to exercise caution when using this integration, as any use will be at your own risk. We are committed to providing ongoing support for common product usage questions and access to our online articles.
Create custom rules in Azure Sentinel that generate incidents based on incoming Nebula event data. The incidents trigger based on criteria that you customize in the following procedure. This article shows how to create Nebula alert rules and provides two sample rule queries.
Create Nebula Alert Rules
- In Azure Sentinel, click Analytics.
- Click Create.
- In the drop down, click Scheduled query rule.
- In the General tab, set a Name
- Select the Severity for Nebula events to trigger incidents.
- Click Next: Set rule logic.
- In the Set rule logic tab, define the logic for your new analytic rule. Below are two example rule queries:
Malware or any potential threats by type and severity Syslog
| where SyslogMessage contains "Malwarebytes"
| project SyslogMessage
| extend Category = extract("cat=([a-zA-Z]+)",1,
SyslogMessage) | where Category == "Malware"Suspicious activity Syslog
| where SyslogMessage contains "Malwarebytes"
| project SyslogMessage
| extend EventAction = extract
("[|][a-zA-Z]+[|][A-Za-z ]+[|][a-zA-Z0-9. ]+[|][a-zA-Z]+[|]([a-zA-Z ]+)[|]",
1, SyslogMessage)
| where EventAction contains "Suspicious Activity" - Set values for the required fields under Query scheduling.
- Set a value for the required field under Alert threshold.
- Click Next: Incident Settings (Preview).
- In the Incident Settings (Preview) tab, enable or disable Alert grouping rules.
- Click Next: Automated response.
- Click Next: Review and create.
- Click Create to finalize your alert rule.
For more information, see Microsoft's support article Tutorial: Create custom analytic rules to detect suspicious threats.
Return to the table of contents.