It may seem a bit anal (personally, I don’t think it is), but for security teams that want to “watch the watchers” they want to be notified when certain things in the Azure Sentinel structure are modified or created. I’ve been asked about this numerous times for the various areas in Azure Sentinel.
To start down this path (I’ll include more as time goes on), here’s an example of an Analytics Rules that can be created to report when someone creates or modifies an Analytics Rule.
Here’s the KQL query:
AzureActivity | where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE" | where ActivityStatusValue == "Success" | extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress | extend URLCustomEntity = Analytics_Rule_ID
As an Analytics Rule, this will generate an Incident whenever someone creates of modifies an Analytics Rules and record the user, the user’s IP address, and the Analytics Rule’s system ID in the Incident’s Entities.
NOTE: In the KQL query provided above, I use the filter command to search for “Success” in ActivityStatusValue. There seems to be a discrepancy between AzureActivity table schema contents in different regions that I’m researching. If “Success” doesn’t work for you, use “Succeeded”, i.e., replace | where ActivityStatusValue == “Success” with | where ActivityStatusValue == “Succeeded”
You may not want to generate an Incident for this, but instead only want an email delivered to the individual who likes to receive reports on such things. You can toggle-off Incident creation in the Analytics Rule on the Incident settings (Preview) tab and then assign a Playbook that sends an email on the Automated response tab.
If you modify the KQL query just a bit, it also becomes useful in a Workbook. So, instead of being updated through an Incident or an email, just use the dynamic reporting capabilities built into Azure Sentinel.
AzureActivity | where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE" | where ActivityStatusValue == "Success" | extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress | extend URLCustomEntity = Analytics_Rule_ID | project TimeGenerated, AccountCustomEntity, IPCustomEntity, URLCustomEntity
Lastly, you might ask…how do I take the Analytics Rule ID and figure out the actual Analytics Rule name?
Take the Analytics_Rule_ID (just the number portion) from the previous output and insert it into the <your_Analytics_Rule_ID> in the KQL query below and run it.
SecurityAlert | where TimeGenerated >= (90d) | extend RuleID = parse_json(tostring(parse_json(ExtendedProperties).["Analytic Rule Ids"])) | where ProviderName contains "ASI" and RuleID contains "<your_Analytics_Rule_ID>" | distinct DisplayName
There’s a caveat here, though. For the Alert name to show in the results (against the SecurityAlert table), it has to have been run recently.
The most current version of this Analytics Rule/KQL query is always located here: https://github.com/rod-trent/SentinelKQL/blob/master/AnalyticsRuleCreatedorModified.txt
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
2 thoughts on “How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified”
You must log in to post a comment.