90 строки
3.6 KiB
Markdown
90 строки
3.6 KiB
Markdown
|
||
|
||
# Audit Sentinel Detection Rules
|
||
|
||
### Prerequisites : [Configure Audit in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring)
|
||
|
||
### Purpose : Detection / Analytics are directly changed in the production instace at times due to several reaons.
|
||
|
||
+ As the DevOps workflow is not set up.
|
||
+ Due to urgency.
|
||
|
||
Here is KQL query to idetify such scenarios and an azure function developed in KQL which can be used to display the changes.
|
||
|
||
### Demo - [Audit Sentinel Detection Rules](https://www.youtube.com/watch?v=v7XQSBnzfHg)
|
||
|
||
Query
|
||
|
||
|
||
```
|
||
_SentinelAudit()
|
||
| where SentinelResourceType =="Analytic Rule" and Description == "Create or update analytics rule."
|
||
| extend SentinelResourceId = tostring(ExtendedProperties.ResourceId)
|
||
| project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties
|
||
| extend query_ = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.UpdatedResourceState)).properties)).query)
|
||
| extend CallerName_ = tostring(ExtendedProperties.CallerName)
|
||
| extend CallerIpAddress_ = tostring(ExtendedProperties.CallerIpAddress)
|
||
| summarize arg_max(TimeGenerated,*) by query_, CallerIpAddress_, CallerName_, SentinelResourceName
|
||
| project TimeGenerated, CallerName_, CallerIpAddress_,SentinelResourceName, query_
|
||
| order by SentinelResourceName
|
||
|
||
```
|
||
|
||
Now, while we can use this query in our KQL queries and then it will also be useful to have this as a deployable template.
|
||
|
||
Here is the code for ARM Template
|
||
|
||
```
|
||
{
|
||
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
|
||
"contentVersion": "1.0.0.0",
|
||
"parameters": {
|
||
"workspaceName": {
|
||
"type": "String"
|
||
},
|
||
"location": {
|
||
"type": "String"
|
||
}
|
||
},
|
||
"resources": [
|
||
{
|
||
"type": "Microsoft.OperationalInsights/workspaces",
|
||
"apiVersion": "2017-03-15-preview",
|
||
"name": "[parameters('workspaceName')]",
|
||
"location": "[parameters('location')]",
|
||
"resources": [
|
||
{
|
||
"type": "savedSearches",
|
||
"apiVersion": "2020-08-01",
|
||
"name": "AuditSentinelAnalytics",
|
||
"dependsOn": [
|
||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||
],
|
||
"properties": {
|
||
"etag": "*",
|
||
"displayName": "AuditSentinelAnalytics",
|
||
"category": "Security",
|
||
"FunctionAlias": "AuditSentinelAnalytics",
|
||
"query": "_SentinelAudit() | where SentinelResourceType ==\"Analytic Rule\" and Description == \"Create or update analytics rule.\" | extend SentinelResourceId = tostring(ExtendedProperties.ResourceId) | project TimeGenerated, SentinelResourceName, Status, Description, SentinelResourceKind, ExtendedProperties | extend query_ = tostring(parse_json(tostring(parse_json(tostring(ExtendedProperties.UpdatedResourceState)).properties)).query) | extend CallerName_ = tostring(ExtendedProperties.CallerName) | extend CallerIpAddress_ = tostring(ExtendedProperties.CallerIpAddress) | summarize arg_max(TimeGenerated,*) by query_, CallerIpAddress_, CallerName_, SentinelResourceName | project TimeGenerated, CallerName_, CallerIpAddress_,SentinelResourceName, query_ | order by SentinelResourceName",
|
||
"version": 1
|
||
}
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
```
|
||
|
||
And you can easily deploy
|
||
|
||
[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FTools%2FAudit-Sentinel-Detection%2Fazuredeploy.json)
|
||
|
||
|
||
{
|
||
"support": {
|
||
"name": "NA",
|
||
"email": "samik.n.roy@gmail.com",
|
||
"link": "https://github.com/samikroy"
|
||
}
|
||
}
|