Azure Sentinel alert rules can help to gather, discover, investigate and answer various security warnings and incidents.
Bobcares answers all questions no matter the size, as part of our Server management support Service.
Let us take a look at azure sentinel alert rules in detail.
What is Azure sentinel?
Microsoft Azure Sentinel is an advanced SIEM platform or Security Information and Event Management system. The system collects data and detects threats by using advanced analytics and threat detection. Moreover, AI investigates threats and it helps to hunt any malicious activities in the network. And finally, it responds to the incidents quickly and automatically using automated functions.
Firstly, to configure the incident creation settings, the user must go to the Incident Settings tab. Then the user can choose how the Microsoft sentinel changes alert into actions. There are many options in the tab for the users to manage ‘Incidents’.
Importance of Azure sentinel
Azure Sentinel is a highly advanced threat hunting tool. The tool provides security and real-time data detection. Azure sentinel allows the security team to have full access to every single threat. It sends an email alert to the security team whenever a threat is found. In short Azure acts as an extra layer of protection against threats and attacks.
Configuring the azure sentinel alert rules
A user can create alerts in Sentinel in two ways:
- Connect a correlation rule to the action and Create alerts. When the correlation rule is activated, Sentinel generates an alert. A correlation rule is an automated process that tracks and manages real-time incidents. It will create an alert when the conditions for triggering are met.
- A user can also use the REST API to create alerts.
az sentinel alert-rule create command
The az sentinel alert-rule helps to create or update ‘alert rule’ actions. Type in the command given below to create or update the alert rule action.
Azure CLI
az sentinel alert-rule create --resource-group
--rule-id
--workspace-name
[--action-id]
[--etag]
[--fusion-alert-rule]
[--logic-app-resource-id]
[--microsoft-security-incident-creation-alert-rule]
[--scheduled-alert-rule]
[--trigger-uri]
Copy Code
The command follows a step-by-step rule structure. Hence the process starts from the creation of the ‘action of alert rule’. And similarly, the rest of the rules will be created.
Examples
As mentioned earlier the first step Creates or updates an action of alert rule as shown below.
az sentinel alert-rule create --etag "{etag}" --logic-app-resource-id "/subscriptions/{subs}/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" --trigger-uri "https://xxx.northcentralus.logic.azure.com:443/workflows/xxx/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"
Copy Code
After the creation of the alert rule action, a Fusion alert rule is will be created as shown below.
Azure CLI
Copy Code
az sentinel alert-rule create --fusion-alert-rule etag="{etag}" alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"
Copy Code
The next step in the command is to create the MicrosoftSecurityIncidentCreation rule. The command Creates or updates a MicrosoftSecurityIncidentCreation rule as shown below.
Azure CLI
Copy Code
az sentinel alert-rule create --fusion-alert-rule etag="{etag}" alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"
Copy Code
And it Creates or updates a Scheduled alert rule as shown in the code given below.
Azure CLI
Copy Code
az sentinel alert-rule create --scheduled-alert-rule etag="{etag}" query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"
Copy Code
Parameters required for az Sentinel alert rule
--resource-group
Copy Code
represent the resource group. For example, if the resource group is myRg then it will be:
--resource-group "myRg"
Copy Code
The configurations on the default group can be done using
az configure --defaults group=
Copy Code
. This allows the user to change the name of the default group. Similarly, the alert rule id and the name of the workspace can be configured and given below. -- rule-id
Copy Code
Alert rule ID
--workspace-name
Copy Code
The name of the workspace
Optional parameters
--action-id
Copy Code
Action ID
--etag
Copy Code
Represents the azure resource etag.
--fusion-alert-rule
Copy Code
It represents the Fusion alert rule
--logic-app-resource-id
Copy Code
It represents the Resouce id of logic app, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.
--microsoft-security-incident-creation-alert-rule
Copy Code
Here, the command constitutes for MicrosoftSecurityIncidentCreation rule.
--scheduled-alert-rule
Copy Code
The –Schedule-alert-rule represents the scheduled alert rule.
--trigger-uri
Copy Code
For this particular workflow trigger, the user can use this Logic App Callback URL.
Deleting the az sentinel alert rule
We can delete the action alert rule action and delete the entire alert rule itself. Type in the following command to delete the alert rule and the associated action.
Azure CLI
Copy Code
az sentinel alert-rule delete --resource-group
--rule-id
--workspace-name
[--action-id]
[--yes]
Copy Code
Let’s go through a couple of examples of deleting the alert rule.
Examples
To Delete an action of an alert rule the user must specify the rule and the action associated.
Azure CLI
Copy Code
az sentinel alert-rule delete --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"
Copy Code
Similarly, to delete an alert rule the user must specify the same as shown below.
Azure CLI
Copy Code
az sentinel alert-rule delete --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"
Copy Code
Parameters Required
Note that, the user can stick on to the same parameter as used in the create rule command. However, the user can use the optional parameters also as shown below.
--action-id
Copy Code
Represents the action ID
--yes-y
Copy Code
This cancels the confirmation prompt
az Sentinel alert rule get action
This command helps to get the action of the alert rule.
Azure CLI
Copy Code
az sentinel alert-rule get-action --action-id
--resource-group
--rule-id
--workspace-name
Copy Code
Let us go through an example of applying the command.
Example
To get an action alert rule
Azure CLI
Copy Code
az sentinel alert-rule get-action --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"
Copy Code
The required parameters are
--resource group -g
Copy Code
,- -rule-id
Copy Code
, which represents the alert rule id, and the --workspace-name
Copy Code
.
az sentinel alert rule
The az Sentinel alert-rule list gets all alert rules.
Azure CLI
Copy Code
az sentinel alert-rule list --resource-group
--workspace-name
Copy Code
Examples
To Get all alert rules
Azure CLI
Copy Code
az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace"
Copy Code
Required parameters
--resource-group -g
Copy Code
Hence the –resource-group represents the group name. Therefore the default group can be configured using az
configure --defaults group=
Copy Code
--workspace-name
Copy Code
Similarly, –workspace-name, represents the name of the workspace.
az sentinel alert-rule show
The az sentinel alert-rule show helps to get the alert rule.
Azure CLI
Copy Code
az sentinel alert-rule show --resource-group
--rule-id
--workspace-name
Copy Code
Let’s go through an example.
Example
To get an alert rule
Azure CLI
Copy Code
az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"
Copy Code
Required parameters
--resource-group -g
Copy Code
Represents the name of the resource group and it can be configured using az configure
--defaults group=
Copy Code
.
--rule-id
Copy Code
Represents the alert rule ID
--workspace-name
Copy Code
Constitute the name of the Workspace
az sentinel alert-rule update
The az sentinel alert rule updates the alert rule.
Azure CLI
Copy Code
az sentinel alert-rule update --resource-group
--rule-id
--workspace-name
[--add]
[--force-string]
[--fusion-alert-rule]
[--microsoft-security-incident-creation-alert-rule]
[--remove]
[--scheduled-alert-rule]
[--set]
Copy Code
Required parameters
--resource -g
Copy Code
Represents the name of the resource group. And the user can configure the default group using az configure
--defaults group=
Copy Code
.
--rule-id
Copy Code
: Denotes the alert rule ID
--workspace-name
Copy Code
: Represents the name of the workspace.
optional parameters
--add
Copy Code
The user when adding an object to a list of objects, a path, and key-value pairs must be specified. For example: –add propty.listPropty <key=value, string or JSON string>.
--force-string
Copy Code
: Preserve string literals when using ‘set’ or ‘add’ rather than attempting to convert to JSON.
--fusion-alert-rule
Copy Code
: The –fusion-alert-rule represents the Fusion alert rule.
--microsoft-security-incident-creation-alert-rule
Copy Code
: Represents MicrosoftSecurityIncidentCreation rule.
--remove
Copy Code
: This allows the user to remove an element from a list. For example: –remove element.list OR –remove elementToRemove. The same can be used for removing property also. And note that type in property instead of ‘element’.
--set
Copy Code
: Specify a property path and value to set that can update an object. For example: –set prop1.prop2=.
[Need assistance with similar queries? We are here to help]
Conclusion
To conclude, the azure sentinel alert rules act as triggers that activate under certain conditions. According to our Support Engineers, the azure sentinel alert rules can be created and managed effortlessly with a simple set of codes and commands.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
var google_conversion_label = "owonCMyG5nEQ0aD71QM";
0 Comments