diff --git a/Tools/ARM-Templates/AnalyticsRules/README.md b/Tools/ARM-Templates/AnalyticsRules/README.md new file mode 100644 index 0000000000..0d3637b7f2 --- /dev/null +++ b/Tools/ARM-Templates/AnalyticsRules/README.md @@ -0,0 +1,10 @@ +# Azure Sentinel Analytics Rules sample ARM templates + +The templates in this folder allow you to create analytics rules Azure Sentinel. You can try them with the following links: + +| Rule Type | Deploy | +| :---| :---| +| [Scheduled Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/ScheduledAlertRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FScheduledAlertRule.json) | +| [Microsoft Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/MicrosoftRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FMicrosoftRule.json) | +| [Fusion Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/FusionRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FFusionRule.json) | +| [Behavioral Analytics Rule](https://github.com/javiersoriano/Azure-Sentinel/blob/javier-arm/Tools/ARM-Templates/AnalyticsRules/BehavioralAnalyticsRule.json) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fjaviersoriano%2FAzure-Sentinel%2Fjavier-arm%2FTools%2FARM-Templates%2FAnalyticsRules%2FBehavioralAnalyticsRule.json) | \ No newline at end of file diff --git a/Tools/ARM-Templates/AnalyticsRules/ScheduledAlertRule.json b/Tools/ARM-Templates/AnalyticsRules/ScheduledAlertRule.json new file mode 100644 index 0000000000..d1707fda9a --- /dev/null +++ b/Tools/ARM-Templates/AnalyticsRules/ScheduledAlertRule.json @@ -0,0 +1,72 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Resource group to deploy solution resources" + } + }, + "workspaceName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "ruleDisplayName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "The friendly name for the scheduled alert rule" + } + }, + "ruleId": { + "type": "string", + "defaultValue": "[newGuid()]", + "metadata": { + "description": "The unique guid for this scheduled alert rule" + } + } + }, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('ruleId'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + // https://docs.microsoft.com/en-us/rest/api/securityinsights/alertrules/createorupdate#scheduledalertrule + "description": "Rule description", + "displayName": "[parameters('ruleDisplayName')]", + "enabled": false, + "query": "SecurityAlert | take 10", + "queryFrequency": "PT1H", + "queryPeriod": "P2DT1H30M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": true, + "tactics": [ "InitialAccess", "Persistence" ], + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + // Optional fields: + //"alertRuleTemplateName": "Source template ID", + //"Etag": "*" // needed when upgrading + } + } + ], + "outputs": { + "ruleId": { + "type": "string", + "value": "[parameters('ruleId')]" + } + // TODO get the Etag? + } +} \ No newline at end of file diff --git a/Tools/ARM-Templates/DataConnectors/AzureATP.json b/Tools/ARM-Templates/DataConnectors/AzureATP.json index 93cdebe7ce..07792b7aad 100644 --- a/Tools/ARM-Templates/DataConnectors/AzureATP.json +++ b/Tools/ARM-Templates/DataConnectors/AzureATP.json @@ -5,19 +5,23 @@ "workspaceName": { "type": "string", "metadata": { - "description": "Name for the Log Analytics workspace used to aggregate data" + "description": "Workspace name for Log Analytics where Sentinel is setup" } }, "aatpAlerts": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "AATP alerts state" + "description": "AATP alerts state (enabled or disabled)" } }, "tenantId": { "type": "string", "metadata": { - "description": "Tenand Id" + "description": "Tenand ID" } }, "location": { diff --git a/Tools/ARM-Templates/DataConnectors/AzureSecurityCenter.json b/Tools/ARM-Templates/DataConnectors/AzureSecurityCenter.json index f000052aae..21ec38f276 100644 --- a/Tools/ARM-Templates/DataConnectors/AzureSecurityCenter.json +++ b/Tools/ARM-Templates/DataConnectors/AzureSecurityCenter.json @@ -5,7 +5,7 @@ "workspaceName": { "type": "string", "metadata": { - "description": "Name for the Log Analytics workspace used to aggregate data" + "description": "Workspace name for Log Analytics where Sentinel is setup" } }, "subscriptionId": { @@ -17,8 +17,12 @@ }, "ascState": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "ASC state (enabled/disabled)" + "description": "ASC state (enabled or disabled)" } }, "location": { diff --git a/Tools/ARM-Templates/DataConnectors/MCAS.json b/Tools/ARM-Templates/DataConnectors/MCAS.json index 50ad440b7c..8d5a87beff 100644 --- a/Tools/ARM-Templates/DataConnectors/MCAS.json +++ b/Tools/ARM-Templates/DataConnectors/MCAS.json @@ -5,19 +5,27 @@ "workspaceName": { "type": "string", "metadata": { - "description": "Name for the Log Analytics workspace used to aggregate data" + "description": "Workspace name for Log Analytics where Sentinel is setup" } }, "mcasAlerts": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "MCAS alerts state" + "description": "MCAS alerts state (enabled or disabled)" } }, "mcasDiscoveryLogs": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "MCAS discovery logs" + "description": "MCAS discovery logs (enabled or disabled)" } }, "tenantId": { diff --git a/Tools/ARM-Templates/DataConnectors/MDATP.json b/Tools/ARM-Templates/DataConnectors/MDATP.json index 78369af5f3..19808dd545 100644 --- a/Tools/ARM-Templates/DataConnectors/MDATP.json +++ b/Tools/ARM-Templates/DataConnectors/MDATP.json @@ -5,13 +5,17 @@ "workspaceName": { "type": "string", "metadata": { - "description": "Name for the Log Analytics workspace used to aggregate data" + "description": "Workspace name for Log Analytics where Sentinel is setup" } }, "mdatpAlerts": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "MDATP alerts state" + "description": "MDATP alerts state (enabled or disabled)" } }, "tenantId": { diff --git a/Tools/ARM-Templates/DataConnectors/Office365.json b/Tools/ARM-Templates/DataConnectors/Office365.json index ff2bbeccfb..0f893c22e3 100644 --- a/Tools/ARM-Templates/DataConnectors/Office365.json +++ b/Tools/ARM-Templates/DataConnectors/Office365.json @@ -5,25 +5,37 @@ "workspaceName": { "type": "string", "metadata": { - "description": "Name for the Log Analytics workspace used to aggregate data" + "description": "Workspace name for Log Analytics where Sentinel is setup" } }, "exchangeState": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "Exchange state" + "description": "Exchange state (enabled or disabled)" } }, "sharePointState": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "SharePoint state" + "description": "SharePoint state (enabled or disabled)" } }, "teamsState": { "type": "string", + "allowedValues": [ + "enabled", + "disabled" + ], "metadata": { - "description": "Teams state" + "description": "Teams state (enabled or disabled)" } }, "tenantId": {