2023-04-02 22:49:56 +03:00
2023-04-02 22:50:51 +03:00
2023-04-02 23:02:20 +03:00
# Audit Sentinel Detection Rules
2023-04-02 22:50:51 +03:00
2023-04-30 11:48:46 +03:00
### Prerequisites : [Configure Audit in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring)
2023-04-02 22:50:51 +03:00
2023-04-30 11:48:46 +03:00
### Purpose : Detection / Analytics are directly changed in the production instace at times due to several reaons.
2023-04-02 22:50:51 +03:00
2023-04-02 23:02:20 +03:00
+ As the DevOps workflow is not set up.
+ Due to urgency.
2023-04-30 11:48:46 +03:00
Here is KQL query to idetify such scenarios and an azure function developed in KQL which can be used to display the changes.
2023-04-02 22:50:51 +03:00
2023-04-02 23:05:49 +03:00
### Demo - [Audit Sentinel Detection Rules](https://www.youtube.com/watch?v=v7XQSBnzfHg)
2023-04-02 22:50:51 +03:00
Query
```
_SentinelAudit()
| where SentinelResourceType =="Analytic Rule" and Description == "Create or update analytics rule."
| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)
| project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties
| extend query_ = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.UpdatedResourceState)).properties)).query)
| extend CallerName_ = tostring(ExtendedProperties.CallerName)
| extend CallerIpAddress_ = tostring(ExtendedProperties.CallerIpAddress)
| summarize arg_max(TimeGenerated,*) by query_, CallerIpAddress_, CallerName_, SentinelResourceName
| project TimeGenerated, CallerName_, CallerIpAddress_,SentinelResourceName, query_
| order by SentinelResourceName
```
Now, while we can use this query in our KQL queries and then it will also be useful to have this as a deployable template.
Here is the code for ARM Template
```
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "String"
},
"location": {
"type": "String"
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "AuditSentinelAnalytics",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
"properties": {
"etag": "*",
"displayName": "AuditSentinelAnalytics",
"category": "Security",
"FunctionAlias": "AuditSentinelAnalytics",
"query": "_SentinelAudit() | where SentinelResourceType ==\"Analytic Rule\" and Description == \"Create or update analytics rule.\" | extend SentinelResourceId = tostring(ExtendedProperties.ResourceId) | project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties | extend query_ = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.UpdatedResourceState)).properties)).query) | extend CallerName_ = tostring(ExtendedProperties.CallerName) | extend CallerIpAddress_ = tostring(ExtendedProperties.CallerIpAddress) | summarize arg_max(TimeGenerated,*) by query_, CallerIpAddress_, CallerName_, SentinelResourceName | project TimeGenerated, CallerName_, CallerIpAddress_,SentinelResourceName, query_ | order by SentinelResourceName",
"version": 1
}
}
]
}
]
}
```
And you can easily deploy
2023-07-07 10:18:49 +03:00
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FAudit-Sentinel-Detection%2Fazuredeploy.json)
2023-07-04 20:02:21 +03:00
{
"support": {
"name": "NA",
"email": "samik.n.roy@gmail.com",
"link": "https://github.com/samikroy"
}
}
