How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

It may seem a bit anal (personally, I don’t think it is), but for security teams that want to “watch the watchers” they want to be notified when certain things in the Azure Sentinel structure are modified or created. I’ve been asked about this numerous times for the various areas in Azure Sentinel.

To start down this path (I’ll include more as time goes on), here’s an example of an Analytics Rules that can be created to report when someone creates or modifies an Analytics Rule.

Here’s the KQL query:

AzureActivity
| where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"
| where ActivityStatusValue == "Success"
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress
| extend URLCustomEntity = Analytics_Rule_ID

As an Analytics Rule, this will generate an Incident whenever someone creates of modifies an Analytics Rules and record the user, the user’s IP address, and the Analytics Rule’s system ID in the Incident’s Entities.

Who done it? User, IP, and rule ID

NOTE: In the KQL query provided above, I use the filter command to search for “Success” in ActivityStatusValue. There seems to be a discrepancy between AzureActivity table schema contents in different regions that I’m researching. If “Success” doesn’t work for you, use “Succeeded”, i.e., replace | where ActivityStatusValue == “Success” with | where ActivityStatusValue == “Succeeded”

Recommendation:

You may not want to generate an Incident for this, but instead only want an email delivered to the individual who likes to receive reports on such things. You can toggle-off Incident creation in the Analytics Rule on the Incident settings (Preview) tab and then assign a Playbook that sends an email on the Automated response tab.

Turn off Incident creation and just send an email notification

If you modify the KQL query just a bit, it also becomes useful in a Workbook. So, instead of being updated through an Incident or an email, just use the dynamic reporting capabilities built into Azure Sentinel.

AzureActivity
| where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"
| where ActivityStatusValue == "Success"
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress
| extend URLCustomEntity = Analytics_Rule_ID
| project TimeGenerated, AccountCustomEntity, IPCustomEntity, URLCustomEntity

Lastly, you might ask…how do I take the Analytics Rule ID and figure out the actual Analytics Rule name?

Take the Analytics_Rule_ID (just the number portion) from the previous output and insert it into the <your_Analytics_Rule_ID> in the KQL query below and run it.

SecurityAlert
| where ProviderName contains "ASI" and AlertType contains "<your_Analytics_Rule_ID>"
| distinct DisplayName

The most current version of this Analytics Rule/KQL query is always located here: https://github.com/rod-trent/SentinelKQL/blob/master/AnalyticsRuleCreatedorModified.txt

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors