Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AlertRules to microsoft.security insights 2021 10 01 #15657

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -1707,6 +1707,7 @@
}
}
},
"type": "object",
"required": [
"value"
]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -502,7 +502,8 @@
"description": "The error object of the CloudError response"
}
},
"description": "An error response for a resource management request."
"description": "An error response for a resource management request.",
"type": "object"
},
"ThreatIntelligenceInformation": {
"allOf": [
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
"ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e",
"action": {
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"triggerUri": "https://prod-31.northcentralus.logic.azure.com:443/workflows/cd3765391efd48549fd7681ded1d48d7/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature",
"logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
}
}
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
"name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
"type": "Microsoft.SecurityInsights/alertRules/actions",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"workflowId": "cd3765391efd48549fd7681ded1d48d7",
"logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
}
}
},
"201": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
"name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
"type": "Microsoft.SecurityInsights/alertRules/actions",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"workflowId": "cd3765391efd48549fd7681ded1d48d7",
"logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
"ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
},
"responses": {
"200": {},
"204": {}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
"ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"actionId": "912bec42-cb66-4c03-ac63-1761b6898c3e"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
"name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
"type": "Microsoft.SecurityInsights/alertRules/actions",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"workflowId": "cd3765391efd48549fd7681ded1d48d7",
"logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
"ruleId": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/73e01a99-5cd7-4139-a149-9f2736ff2ab5/actions/912bec42-cb66-4c03-ac63-1761b6898c3e",
"name": "912bec42-cb66-4c03-ac63-1761b6898c3e",
"type": "Microsoft.SecurityInsights/alertRules/actions",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"workflowId": "cd3765391efd48549fd7681ded1d48d7",
"logicAppResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts"
}
}
]
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
"alertRuleTemplateId": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
"name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "Scheduled",
"properties": {
"severity": "Low",
"query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"displayName": "Changes to Amazon VPC settings",
"description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
"tactics": [
"PrivilegeEscalation",
"LateralMovement"
],
"createdDateUTC": "2019-02-27T00:00:00Z",
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
]
}
],
"alertRulesCreatedByTemplateCount": 0
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalInsights"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa",
"name": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "Scheduled",
"properties": {
"severity": "Low",
"query": "let timeframe = 1d;\nAWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName == \"CreateNetworkAclEntry\"\n or EventName == \"CreateRoute\"\n| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"displayName": "Changes to Amazon VPC settings",
"description": "This alert monitors changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries and routes in route tables.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand https://aws.amazon.com/vpc/",
"tactics": [
"PrivilegeEscalation",
"LateralMovement"
],
"createdDateUTC": "2019-02-27T00:00:00Z",
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
]
}
],
"alertRulesCreatedByTemplateCount": 0
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8",
"name": "f71aba3d-28fb-450b-b192-4e76a83015c8",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "Fusion",
"properties": {
"displayName": "Advanced Multi-Stage Attack Detection",
"description": "Place holder: Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases.\n",
"tactics": [
"Persistence",
"LateralMovement",
"Exfiltration",
"CommandAndControl"
],
"createdDateUTC": "2019-07-25T00:00:00Z",
"status": "Available",
"severity": "High",
"alertRulesCreatedByTemplateCount": 0
}
},
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb",
"name": "b3cfc7c0-092c-481c-a55b-34a3979758cb",
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"displayName": "Create incidents based on Microsoft Cloud App Security alerts",
"description": "Create incidents based on all alerts generated in Microsoft Cloud App Security",
"createdDateUTC": "2019-07-16T00:00:00Z",
"status": "Available",
"alertRulesCreatedByTemplateCount": 0
}
}
]
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
"ruleId": "myFirstFusionRule",
"alertRule": {
"kind": "Fusion",
"etag": "3d00c3ca-0000-0100-0000-5d42d5010000",
"properties": {
"enabled": true,
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
}
}
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
"name": "myFirstFusionRule",
"etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "Fusion",
"properties": {
"displayName": "Advanced Multi-Stage Attack Detection",
"description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
"tactics": [
"Persistence",
"LateralMovement",
"Exfiltration",
"CommandAndControl"
],
"severity": "High",
"enabled": true,
"lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
}
}
},
"201": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/myFirstFusionRule",
"name": "myFirstFusionRule",
"etag": "\"260090e2-0000-0d00-0000-5d6fb8670000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "Fusion",
"properties": {
"displayName": "Advanced Multi-Stage Attack Detection",
"description": "In this mode, Sentinel combines low fidelity alerts, which themselves may not be actionable, and events across multiple products, into high fidelity security interesting incidents. The system looks at multiple products to produce actionable incidents. Custom tailored to each tenant, Fusion not only reduces false positive rates but also can detect attacks with limited or missing information. \nIncidents generated by Fusion system will encase two or more alerts. By design, Fusion incidents are low volume, high fidelity and will be high severity, which is why Fusion is turned ON by default in Azure Sentinel.\n\nFor Fusion to work, please configure the following data sources in Data Connectors tab:\nRequired - Azure Active Directory Identity Protection\nRequired - Microsoft Cloud App Security\nIf Available - Palo Alto Network\n\nFor full list of scenarios covered by Fusion, and detail instructions on how to configure the required data sources, go to aka.ms/SentinelFusion",
"alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
"tactics": [
"Persistence",
"LateralMovement",
"Exfiltration",
"CommandAndControl"
],
"severity": "High",
"enabled": true,
"lastModifiedUtc": "2019-09-04T13:13:11.5340061Z"
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
{
"parameters": {
"api-version": "2021-10-01",
"subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
"resourceGroupName": "myRg",
"workspaceName": "myWorkspace",
"operationalInsightsResourceProvider": "Microsoft.OperationalInsights",
"ruleId": "microsoftSecurityIncidentCreationRuleExample",
"alertRule": {
"etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"displayName": "testing displayname",
"enabled": true
}
}
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
"name": "microsoftSecurityIncidentCreationRuleExample",
"etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": null,
"displayNamesFilter": null,
"displayName": "testing displayname",
"enabled": true,
"description": null,
"alertRuleTemplateName": null,
"lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
}
}
},
"201": {
"body": {
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/microsoftSecurityIncidentCreationRuleExample",
"name": "microsoftSecurityIncidentCreationRuleExample",
"etag": "\"260097e0-0000-0d00-0000-5d6fa88f0000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": null,
"displayNamesFilter": null,
"displayName": "testing displayname",
"enabled": true,
"description": null,
"alertRuleTemplateName": null,
"lastModifiedUtc": "2019-09-04T12:05:35.7296311Z"
}
}
}
}
}
Loading