Microsoft
MicrosoftThis is great, love to see!!! :)
Reading up on the planned parity:
https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections#compare-analytics-rules-and-custom-detections-features
1. Can we assume that in the future, the custom detection or analytic rule will be able to search in the XDR data for free (such as all defender for endpoint tables) instead of having to ship it to sentinel?
2. What about MSSP that have connected DevOps or Github repos to customers Sentinel and deploys Analytic rules (and other items) through it.
The image makes me belive we will be able to deploy custom detections through those channels (i assume they will have same json structure as current analytic rules in devops). But where will the actual resource end up, in the Sentinel (in azure) or will sentinel funnel them over to XDR portal when using those repositories? (it can be important as we now have to manage items in 2 places and limits on amount are diffrent etc).
(on that note, the eu.prod.dps.sentinel.azure.com endpoint died a few months back so the status of such repository connections are not updating, all of them are showing gray status).
3. Edit: And will we need to re-approve current repository setups or will it be able to use current setups and Microsofts supplied script/yaml ? Or will we have to reapprove for a new type "custom detections" (along side the old analytic rules, workbooks, etc)
Microsoft1. Yes - today you can use custom detections to search in all XDR tables and even join them with data you have in Sentinel - without shipping the XDR data to Sentinel! This was written in the highlights section in the blog (I assume this was not clear?):
2+ 3. Sentinel repositories will indeed support custom detections, that will be deployed to your Defender tenant (and not to azure). We can't commit yet to the specific details as JSON structure and setup process. We will publish detailed documentation when the feature is ready and available to use :)
