Azure Resource Manager (ARM) Templates and ARM Template Editor for Bulk Activation and Modification of Azure Sentinel Analytics Rules.
The following process enables optimized deployment and modification of Azure Sentinel Analytics Rules. By accelerating the configuration of Analytics Rules, this process enables the Administrator to save time and resources.
Prerequisites:
- Active Azure Subscription.
- Resource group with Azure Sentinel service created.
Create a free subscription with 200 USD
Procedure:
- Download a ZIP file of the rules from the repository using the green "Code" button. Extract the file.
- Login to Microsoft Azure.
- Search for "Azure Sentinel" using the search bar at the top of the window.
- Select "Azure Sentinel" under Services.
- Select the appropriate Resource group for your organization.
- Select "Analytics" under the Configuration section.
- Locate and select the "Import" button near the top of the window.
- Select the preferred JSON file from the previously downloaded and extracted file.
- The Deployment process will start.
Python script to modify properties of ARM templates for bulk modification of Azure Sentinel Analytics Rules. Currently capable of modifying Rule Status (Enabled/Disabled), Rule Frequency, and Rule Period for any number of Azure Sentinel Analytics Rules contained within any number of ARM template files.
- The Rule Frequency (queryFrequency) value must be between 5 minutes and 14 days.
- The Rule Period (queryPeriod) value must be between 5 minutes and 14 days.
- The Rule Frequency must be less than, or equal to, the Rule Period.
- When the Rule Period is greater than, or equal to, 2 days, the Rule Frequency must be greater than, or equal to, 1 hour.
Prerequisites:
- Python 3 Interpreter. (see Microsoft Docs/ Microsoft Learn for validation or install instructions)
- Path to ARM template/ ARM template file address in directory.
Procedure:
- Open the AZ_Sentinel_Analytics_Rules_Editor.py using a Python 3 Interpreter.
- Enter the path to the ARM template file(s) (i.e. C:\fakepath\AZ_Sentinel\Vectra_Detect_AZ_Sentinel_Analytics_Rules.json), or drag-and-drop each file, one at a time. Separate each file using a comma (,).
- Select options by entering the number associated with the option.
- Enter requested data based on constraints specified in the program and in the Notes from Azure Sentinel.
- Once the process is completed, a new file or new files will be created at the same address as the original file(s) with the user-specified prefix appended as the prefix of the filename(s). You will now have two files for each ARM template, the orignal and the new file.
Default ARM templates for most of Azure Sentinel's built-in Scheduled Analytics Rules.
- Rule Frequency = Default
- Rule Period = Default
- 0-A
- A-F
- F-N
- N-S
- S-Z
- (Preview) Anomalous Account Creation
- (Preview) Anomalous Code Execution
- (Preview) TI map...
- Account added and removed from privileged groups
- Active Directory
- Anomalous login followed by Teams action
- Anomalous sign-in location by user account and authenticating application
- Anomalous User Agent connection attempt
- AppServices AV Scan
- Attempt to bypass conditional access rule in Azure AD
- Attempts to sign in to disabled accounts
- Audit policy manipulation using auditpol utility
- Azure Active Directory PowerShell accessing non-AAD resource
- Azure DevOps
- Azure Key Vault access TimeSeries anomaly
- Base64 encoded Windows process command-lines
- Brute force attack against...
- Changes made to AWS CloudTrail logs
- Changes to Amazon VPC settings
- Changes to AWS Elastic Load Balancer security groups
- Changes to AWS Security Group ingress and egress settings
- Changes to internet facing AWS RDS Database instances
- Cisco...
- Correlate Unfamiliar sign-in properties and atypical travel alerts
- Create incidents based on Azure Active Directory Identity Protection alerts
- Create incidents based on Azure Defender alerts
- Create incidents based on Azure Defender for IOT alerts
- Create incidents based on Microsoft Cloud App Security alerts
- Create incidents based on Microsoft Defender for Endpoint alerts
- Create incidents based on Microsoft Defender for Identity alerts
- Create incidents based on Microsoft Defender for Office 365 alerts
- Creation of expensive computes in Azure
- Credential added after admin consented to Application
- DEV-0322 Serv-U related IOCs-July 2021
- DNS events related to...
- Distributed Password cracking attempts in AzureAD
- Email access via active sync
- Excessive NXDOMAIN DNS Queries (Normalized DNS)
- Excessive Windows logon failures
- Exchange...
- Explicit MFA Deny
- External Upstream Source Added to Azure DevOps Feed
- External user added and removed in short timeframe
- Failed...
- First access credential added to Application or Service Principal where no credential was present
- GitHub Signin Burst from Multiple Locations
- Group created then added to built in domain local or global group
- HAFNIUM...
- High count of...
- IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN
- Known Barium...
- Known CERIUM domains and hashes
- Known GALLIUM domains and hashes
- Known IRIDIUM IP
- Known Manganese IP and UserAgent activity
- Known STRONTIUM group domains - July 2019
- Known ZINC...
- Linked Malicious Storage Artifacts
- Login to AWS Management Console without MFA
- Mail...
- Malformed user agent
- Malicious Inbox Rule
- Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts
- Malware in the recycle bin
- Mass secret retrieval from Azure Key Vault
- MFA disabled for a user
- Microsoft COVID-19 file hash indicator matches
- Modified domain federation trust settings
- Monitor AWS Credential abuse or hijacking
- Multiple Password Reset by user
- Multiple RDP connections from Single System
- Multiple Teams deleted by a single user
- Multiple users email forwarded to same destination
- Network endpoint to host executable correlation
- New access credential added to Application or Service Principa
- New Agent Added to Pool by New User or of a New OS Type
- New CloudShell User
- New executable via Office FileUploaded Operation
- New internet-exposed SSH endpoints
- New PA, PCA, or PCAS added to Azure DevOps
- New user created and added to the built-in administrators group
- New UserAgent observed in last 24 hours
- NOBELIUM...
- Non Domain Controller Active Directory Replication
- Office policy tampering
- Palo Alto...
- Password spray attack against Azure AD application
- Possible contact with a domain generated by a DGA
- Possible STRONTIUM attempted credential harvesting - Sept 2020andOct2020
- Potential Build Process Compromise...
- Potential DGA detected
- Potential Kerberoasting
- Powershell Empire cmdlets seen in command line
- Probable AdFind Recon Tool Usage
- Process executed from binary hidden in Base64 encoded file
- Process execution frequency anomaly
- Rare...
- RDP Nesting
- Request for single resource on domain
- Security Event log cleared
- Security Service Registry ACL Modification
- SecurityEvent - Multiple authentication failures followed by a success
- Sensitive Azure Key Vault operations
- SharePointFileOperation via...
- Sign-ins from IPs that attempt sign-ins to disabled accounts
- Solorigate...
- Squid proxy events...
- Successful logon from IP and failure from a different IP
- SUNBURST...
- SUNSPOT...
- SUPERNOVA webshell
- Suspicious...
- TEARDROP memory-only dropper
- THALLIUM domains included in DCU takedown
- Time series anomaly...
- User...
- Vectra AI Detect...
- Vectra Detection...
- Wazuh - Large Number of Web errors from an IP
ARM templates for most of Azure Sentinel's built-in Scheduled Analytics Rules, modified for quick response.
- Rule Frequency = 10 minutes
- Rule Period = 30 minutes
Disclaimer: The Analytics rules above do not include all the available rules in Azre Sentinel. They do not include any rules that monitor activity from a third party Data Connectors or any rules that require a pre-created data tables. The remaining rules will need to be created and configured based on the Organization's specification.