Adding Analytics Rules
This commit is contained in:
Родитель
dbf90ec480
Коммит
eff9979719
|
@ -0,0 +1,10 @@
|
|||
# Azure Sentinel Analytics Rules sample ARM templates
|
||||
|
||||
The templates in this folder allow you to create analytics rules Azure Sentinel. You can try them with the following links:
|
||||
|
||||
| Rule Type | Deploy |
|
||||
| :---| :---|
|
||||
| [Scheduled Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/ScheduledAlertRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FScheduledAlertRule.json) |
|
||||
| [Microsoft Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/MicrosoftRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FMicrosoftRule.json) |
|
||||
| [Fusion Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/FusionRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FFusionRule.json) |
|
||||
| [Behavioral Analytics Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/BehavioralAnalyticsRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FBehavioralAnalyticsRule.json) |
|
|
@ -0,0 +1,72 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Resource group to deploy solution resources"
|
||||
}
|
||||
},
|
||||
"workspaceName": {
|
||||
"defaultValue": "<Enter Log Analytics Workspace name>",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"ruleDisplayName": {
|
||||
"type": "string",
|
||||
"defaultValue": "<Enter rule name>",
|
||||
"metadata": {
|
||||
"description": "The friendly name for the scheduled alert rule"
|
||||
}
|
||||
},
|
||||
"ruleId": {
|
||||
"type": "string",
|
||||
"defaultValue": "[newGuid()]",
|
||||
"metadata": {
|
||||
"description": "The unique guid for this scheduled alert rule"
|
||||
}
|
||||
}
|
||||
},
|
||||
"functions": [],
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('ruleId'))]",
|
||||
"apiVersion": "2020-01-01",
|
||||
"kind": "Scheduled",
|
||||
"location": "[parameters('location')]",
|
||||
"dependsOn": [],
|
||||
"properties": {
|
||||
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
|
||||
"description": "Rule description",
|
||||
"displayName": "[parameters('ruleDisplayName')]",
|
||||
"enabled": false,
|
||||
"query": "SecurityAlert | take 10",
|
||||
"queryFrequency": "PT1H",
|
||||
"queryPeriod": "P2DT1H30M",
|
||||
"severity": "Medium",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": true,
|
||||
"tactics": [ "InitialAccess", "Persistence" ],
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0
|
||||
// Optional fields:
|
||||
//"alertRuleTemplateName": "Source template ID",
|
||||
//"Etag": "*" // needed when upgrading
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"ruleId": {
|
||||
"type": "string",
|
||||
"value": "[parameters('ruleId')]"
|
||||
}
|
||||
// TODO get the Etag?
|
||||
}
|
||||
}
|
|
@ -5,19 +5,23 @@
|
|||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name for the Log Analytics workspace used to aggregate data"
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"aatpAlerts": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "AATP alerts state"
|
||||
"description": "AATP alerts state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"tenantId": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Tenand Id"
|
||||
"description": "Tenand ID"
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name for the Log Analytics workspace used to aggregate data"
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"subscriptionId": {
|
||||
|
@ -17,8 +17,12 @@
|
|||
},
|
||||
"ascState": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "ASC state (enabled/disabled)"
|
||||
"description": "ASC state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
|
|
|
@ -5,19 +5,27 @@
|
|||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name for the Log Analytics workspace used to aggregate data"
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"mcasAlerts": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "MCAS alerts state"
|
||||
"description": "MCAS alerts state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"mcasDiscoveryLogs": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "MCAS discovery logs"
|
||||
"description": "MCAS discovery logs (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"tenantId": {
|
||||
|
|
|
@ -5,13 +5,17 @@
|
|||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name for the Log Analytics workspace used to aggregate data"
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"mdatpAlerts": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "MDATP alerts state"
|
||||
"description": "MDATP alerts state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"tenantId": {
|
||||
|
|
|
@ -5,25 +5,37 @@
|
|||
"workspaceName": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Name for the Log Analytics workspace used to aggregate data"
|
||||
"description": "Workspace name for Log Analytics where Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"exchangeState": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "Exchange state"
|
||||
"description": "Exchange state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"sharePointState": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "SharePoint state"
|
||||
"description": "SharePoint state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"teamsState": {
|
||||
"type": "string",
|
||||
"allowedValues": [
|
||||
"enabled",
|
||||
"disabled"
|
||||
],
|
||||
"metadata": {
|
||||
"description": "Teams state"
|
||||
"description": "Teams state (enabled or disabled)"
|
||||
}
|
||||
},
|
||||
"tenantId": {
|
||||
|
|
Загрузка…
Ссылка в новой задаче