Azure Sentinel alert rules can help to gather, discover, investigate and answer various security warnings and incidents.

Bobcares answers all questions no matter the size, as part of our Server management support Service.

Let us take a look at azure sentinel alert rules in detail.

What is Azure sentinel?

Microsoft Azure Sentinel is an advanced SIEM platform or Security Information and Event Management system. The system collects data and detects threats by using advanced analytics and threat detection. Moreover, AI investigates threats and it helps to hunt any malicious activities in the network. And finally, it responds to the incidents quickly and automatically using automated functions.

Firstly, to configure the incident creation settings, the user must go to the Incident Settings tab. Then the user can choose how the Microsoft sentinel changes alert into actions. There are many options in the tab for the users to manage ‘Incidents’.

Importance of Azure sentinel

Azure Sentinel is a highly advanced threat hunting tool. The tool provides security and real-time data detection. Azure sentinel allows the security team to have full access to every single threat. It sends an email alert to the security team whenever a threat is found. In short Azure acts as an extra layer of protection against threats and attacks.

Configuring the azure sentinel alert rules

A user can create alerts in Sentinel in two ways:

1. Connect a correlation rule to the action and Create alerts. When the correlation rule is activated, Sentinel generates an alert. A correlation rule is an automated process that tracks and manages real-time incidents. It will create an alert when the conditions for triggering are met.
2. A user can also use the REST API to create alerts.

az sentinel alert-rule create command

The az sentinel alert-rule helps to create or update ‘alert rule’ actions. Type in the command given below to create or update the alert rule action.

Azure CLI
az sentinel alert-rule create --resource-group
--rule-id
--workspace-name
[--action-id]
[--etag]
[--fusion-alert-rule]
[--logic-app-resource-id]
[--microsoft-security-incident-creation-alert-rule]
[--scheduled-alert-rule]
[--trigger-uri]

The command follows a step-by-step rule structure. Hence the process starts from the creation of the ‘action of alert rule’. And similarly, the rest of the rules will be created.

Examples

As mentioned earlier the first step Creates or updates an action of alert rule as shown below.
az sentinel alert-rule create --etag "{etag}" --logic-app-resource-id "/subscriptions/{subs}/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" --trigger-uri "https://xxx.northcentralus.logic.azure.com:443/workflows/xxx/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"

After the creation of the alert rule action, a Fusion alert rule is will be created as shown below.
Azure CLI
az sentinel alert-rule create --fusion-alert-rule etag="{etag}" alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"

The next step in the command is to create the MicrosoftSecurityIncidentCreation rule. The command Creates or updates a MicrosoftSecurityIncidentCreation rule as shown below.
Azure CLI
az sentinel alert-rule create --fusion-alert-rule etag="{etag}" alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"

And it Creates or updates a Scheduled alert rule as shown in the code given below.
Azure CLI
az sentinel alert-rule create --scheduled-alert-rule etag="{etag}" query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"

Parameters required for az Sentinel alert rule

--resource-grouprepresent the resource group. For example, if the resource group is myRg then it will be:

--resource-group "myRg"

The configurations on the default group can be done using  az configure --defaults group=. This allows the user to change the name of the default group. Similarly, the alert rule id and the name of the workspace can be configured and given below.
-- rule-id
Alert rule ID
--workspace-name
The name of the workspace

Optional parameters

--action-id
Action ID

--etag
Represents the azure resource etag.

--fusion-alert-rule
It represents the Fusion alert rule

--logic-app-resource-id
It represents the Resouce id of logic app, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.

--microsoft-security-incident-creation-alert-rule
Here, the command constitutes for MicrosoftSecurityIncidentCreation rule.

--scheduled-alert-rule
The –Schedule-alert-rule represents the scheduled alert rule.

--trigger-uri
For this particular workflow trigger, the user can use this Logic App Callback URL.

Deleting the az sentinel alert rule

We can delete the action alert rule action and delete the entire alert rule itself. Type in the following command to delete the alert rule and the associated action.
Azure CLI
az sentinel alert-rule delete --resource-group
--rule-id
--workspace-name
[--action-id]
[--yes]

Let’s go through a couple of examples of deleting the alert rule.

Examples

To Delete an action of an alert rule the user must specify the rule and the action associated.
Azure CLI
az sentinel alert-rule delete --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"

Similarly, to delete an alert rule the user must specify the same as shown below.

Azure CLI
az sentinel alert-rule delete --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"

Parameters Required

Note that, the user can stick on to the same parameter as used in the create rule command. However, the user can use the optional parameters also as shown below.
--action-id
Represents the action ID

--yes-y
This cancels the confirmation prompt

az Sentinel alert rule get action

This command helps to get the action of the alert rule.   Azure CLI
az sentinel alert-rule get-action --action-id
--resource-group
--rule-id
--workspace-name

Let us go through an example of applying the command.

Example

To get an action alert rule
Azure CLI
az sentinel alert-rule get-action --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"

The required parameters are--resource group -g,- -rule-id, which represents the alert rule id, and the --workspace-name.

az sentinel alert rule

The az Sentinel alert-rule list gets all alert rules.

Azure CLI
az sentinel alert-rule list --resource-group
--workspace-name

Examples

To Get all alert rules
Azure CLI
az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace"

Required parameters

--resource-group -g

Hence the –resource-group represents the group name. Therefore the default group can be configured using az configure --defaults group=

--workspace-name

Similarly, –workspace-name, represents the name of the workspace.

az sentinel alert-rule show

The az sentinel alert-rule show helps to get the alert rule.
Azure CLI
az sentinel alert-rule show --resource-group
--rule-id
--workspace-name

Let’s go through an example.

Example

To get an alert rule
Azure CLI
az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"

Required parameters

--resource-group -g
Represents the name of the resource group and it can be configured using az configure--defaults group=.

--rule-id
Represents the alert rule ID

--workspace-name
Constitute the name of the Workspace

az sentinel alert-rule update

The az sentinel alert rule updates the alert rule.
Azure CLI

az sentinel alert-rule update --resource-group
--rule-id
--workspace-name
[--add]
[--force-string]
[--fusion-alert-rule]
[--microsoft-security-incident-creation-alert-rule]
[--remove]
[--scheduled-alert-rule]
[--set]

Required parameters

--resource -g

Represents the name of the resource group. And the user can configure the default group using az configure--defaults group=.

--rule-id: Denotes the alert rule ID

--workspace-name: Represents the name of the workspace.

optional parameters

--add

The user when adding an object to a list of objects, a path, and key-value pairs must be specified. For example: –add propty.listPropty <key=value, string or JSON string>.

--force-string: Preserve string literals when using ‘set’ or ‘add’ rather than attempting to convert to JSON.

--fusion-alert-rule: The –fusion-alert-rule represents the Fusion alert rule.

--microsoft-security-incident-creation-alert-rule: Represents MicrosoftSecurityIncidentCreation rule.

--remove: This allows the user to remove an element from a list. For example: –remove element.list OR –remove elementToRemove. The same can be used for removing property also. And note that type in property instead of ‘element’.

--set: Specify a property path and value to set that can update an object. For example: –set prop1.prop2=.

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude, the azure sentinel alert rules act as triggers that activate under certain conditions. According to our Support Engineers, the azure sentinel alert rules can be created and managed effortlessly with a simple set of codes and commands.