A practical approach I would like feedback on from people running detections for real.

The problem: Sentinel analytics rules usually only get tested by waiting to see if they fire in a live workspace. Thatmakes refactoring risky and makes the logic impossible to verify on a fork or in CI.

What I did: each rule's real KQL runs against synthetic AzureActivity and SigninLogs fixtures in a local Kusto emulator (kustainer), asserting it fires on malicious data and stays silent on benign. No live tenant needed, so the logic is reproducible by anyone and it gates every change in CI before deploy.

The repo around it is a detection-as-code setup on a live Sentinel and Defender XDR environment: 9 KQL rules across the Azure control plane, endpoint, and identity, each mapped to MITRE ATT&CK, deployed by a PR-gated pipeline over OIDC. It also runs a live benign and attack validation harness, and deliberately makes no "0 percent false positive rate" claim, because a single-tenant environment cannot produce a meaningful FP rate, so it reports measured false fires instead.

What I would like blue-team feedback on: whether the multi-stage correlation rule (a privilege grant followed by a deployment by the same principal within a short window) holds up against real noise, and which of the control-plane rules you would expect to be noisy in production and how you would tune them.

Repo: https://github.com/ibondarenko1/azure-sentinel-detection-engineering

For honesty: I am moving into detection engineering and built this to practice the craft, so critical feedback is the point.