This commit is contained in:
Javier Soriano 2020-11-24 22:32:18 +01:00
Родитель dbf90ec480
Коммит eff9979719
7 изменённых файлов: 128 добавлений и 14 удалений

Просмотреть файл

@ -0,0 +1,10 @@
# Azure Sentinel Analytics Rules sample ARM templates
The templates in this folder allow you to create analytics rules Azure Sentinel. You can try them with the following links:
| Rule Type | Deploy |
| :---| :---|
| [Scheduled Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/ScheduledAlertRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FScheduledAlertRule.json) |
| [Microsoft Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/MicrosoftRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FMicrosoftRule.json) |
| [Fusion Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/FusionRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FFusionRule.json) |
| [Behavioral Analytics Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/BehavioralAnalyticsRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FBehavioralAnalyticsRule.json) |

Просмотреть файл

@ -0,0 +1,72 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Resource group to deploy solution resources"
}
},
"workspaceName": {
"defaultValue": "<Enter Log Analytics Workspace name>",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"ruleDisplayName": {
"type": "string",
"defaultValue": "<Enter rule name>",
"metadata": {
"description": "The friendly name for the scheduled alert rule"
}
},
"ruleId": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "The unique guid for this scheduled alert rule"
}
}
},
"functions": [],
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('ruleId'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
// https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule
"description": "Rule description",
"displayName": "[parameters('ruleDisplayName')]",
"enabled": false,
"query": "SecurityAlert | take 10",
"queryFrequency": "PT1H",
"queryPeriod": "P2DT1H30M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": true,
"tactics": [ "InitialAccess", "Persistence" ],
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
// Optional fields:
//"alertRuleTemplateName": "Source template ID",
//"Etag": "*" // needed when upgrading
}
}
],
"outputs": {
"ruleId": {
"type": "string",
"value": "[parameters('ruleId')]"
}
// TODO get the Etag?
}
}

Просмотреть файл

@ -5,19 +5,23 @@
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace used to aggregate data"
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"aatpAlerts": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "AATP alerts state"
"description": "AATP alerts state (enabled or disabled)"
}
},
"tenantId": {
"type": "string",
"metadata": {
"description": "Tenand Id"
"description": "Tenand ID"
}
},
"location": {

Просмотреть файл

@ -5,7 +5,7 @@
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace used to aggregate data"
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"subscriptionId": {
@ -17,8 +17,12 @@
},
"ascState": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "ASC state (enabled/disabled)"
"description": "ASC state (enabled or disabled)"
}
},
"location": {

Просмотреть файл

@ -5,19 +5,27 @@
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace used to aggregate data"
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"mcasAlerts": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "MCAS alerts state"
"description": "MCAS alerts state (enabled or disabled)"
}
},
"mcasDiscoveryLogs": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "MCAS discovery logs"
"description": "MCAS discovery logs (enabled or disabled)"
}
},
"tenantId": {

Просмотреть файл

@ -5,13 +5,17 @@
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace used to aggregate data"
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"mdatpAlerts": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "MDATP alerts state"
"description": "MDATP alerts state (enabled or disabled)"
}
},
"tenantId": {

Просмотреть файл

@ -5,25 +5,37 @@
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name for the Log Analytics workspace used to aggregate data"
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"exchangeState": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "Exchange state"
"description": "Exchange state (enabled or disabled)"
}
},
"sharePointState": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "SharePoint state"
"description": "SharePoint state (enabled or disabled)"
}
},
"teamsState": {
"type": "string",
"allowedValues": [
"enabled",
"disabled"
],
"metadata": {
"description": "Teams state"
"description": "Teams state (enabled or disabled)"
}
},
"tenantId": {