Detection Rules

Our Sentinel service includes a carefully curated set of detection rules designed to identify common attack techniques in Microsoft 365 and Azure environments. Wherever possible, these rules are mapped to the MITRE ATT&CK framework to ensure transparency and visibility into security coverage.

Included Categories

Identity Threats

• Suspicious sign-in patterns (e.g. authentications from known malicious IPs)

• Adversary-in-the-Middle (AiTM) phishing detection

Email & Collaboration Threats

• Suspicious mailbox rule creation

• Rules for automatic forwarding or deletion

• Abuse of OAuth applications for persistence

Endpoint & Device Threats

• Alerts from Microsoft Defender for Endpoint

• Sign-ins from compromised devices

• Attempts at privilege escalation

Cloud Resource Threats

• Changes in role assignments

• Unusual activity on critical resources

• Suspicious use of service principals

A full list of detection rules is available in our Help Center under “Detection Rules.”

Rule Maintenance

• Rules are continuously maintained and updated by our team.

• Outdated or noisy rules are tuned to minimize false positives.

• New rules are added as attack techniques evolve.

• We monitor and adjust rules on an ongoing basis as needed.

Customer Engagement

• Customers can request new detection rules.

• If a rule is relevant for all customers, we add it at no additional cost.

• Rules that are customer-specific can still be added, but may require consultancy.

• Together we refine thresholds and exceptions to reduce unnecessary alerts.

• All active rules are documented and visible within the Sentinel workspace.