Bobcares

Azure Sentinel Alert Rules and Alert Management

by | Jun 29, 2022

Azure Sentinel alert rules can help to gather, discover, investigate and answer various security warnings and incidents.

Bobcares answers all questions no matter the size, as part of our Server management support Service.

Let us take a look at azure sentinel alert rules in detail.

What is Azure sentinel?

Microsoft Azure Sentinel is an advanced SIEM platform or Security Information and Event Management system. The system collects data and detects threats by using advanced analytics and threat detection. Moreover, AI investigates threats and it helps to hunt any malicious activities in the network. And finally, it responds to the incidents quickly and automatically using automated functions.

Firstly, to configure the incident creation settings, the user must go to the Incident Settings tab. Then the user can choose how the Microsoft sentinel changes alert into actions. There are many options in the tab for the users to manage ‘Incidents’.

Importance of Azure sentinel

Azure Sentinel is a highly advanced threat hunting tool. The tool provides security and real-time data detection. Azure sentinel allows the security team to have full access to every single threat. It sends an email alert to the security team whenever a threat is found. In short Azure acts as an extra layer of protection against threats and attacks.

Configuring the azure sentinel alert rules

A user can create alerts in Sentinel in two ways:

  1. Connect a correlation rule to the action and Create alerts. When the correlation rule is activated, Sentinel generates an alert. A correlation rule is an automated process that tracks and manages real-time incidents. It will create an alert when the conditions for triggering are met.
  2. A user can also use the REST API to create alerts.

az sentinel alert-rule create command

The az sentinel alert-rule helps to create or update ‘alert rule’ actions. Type in the command given below to create or update the alert rule action.

Azure CLI

az sentinel alert-rule create --resource-group
--rule-id
--workspace-name
[--action-id]
[--etag]
[--fusion-alert-rule]
[--logic-app-resource-id]
[--microsoft-security-incident-creation-alert-rule]
[--scheduled-alert-rule]
[--trigger-uri]Copy Code

The command follows a step-by-step rule structure. Hence the process starts from the creation of the ‘action of alert rule’. And similarly, the rest of the rules will be created.

Examples

As mentioned earlier the first step Creates or updates an action of alert rule as shown below.

az sentinel alert-rule create --etag "{etag}" --logic-app-resource-id "/subscriptions/{subs}/resourceGroups/myRg/providers/Microsoft.Logic/workflows/MyAlerts" --trigger-uri "https://xxx.northcentralus.logic.azure.com:443/workflows/xxx/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=signature" --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"Copy Code

After the creation of the alert rule action, a Fusion alert rule is will be created as shown below.

 Azure CLICopy Code

az sentinel alert-rule create --fusion-alert-rule etag="{etag}" alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"Copy Code

The next step in the command is to create the MicrosoftSecurityIncidentCreation rule. The command Creates or updates a MicrosoftSecurityIncidentCreation rule as shown below.

Azure CLICopy Code

az sentinel alert-rule create --fusion-alert-rule etag="{etag}" alert-rule-template-name="{name}" enabled=true --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"Copy Code

And it Creates or updates a Scheduled alert rule as shown in the code given below.

Azure CLICopy Code

az sentinel alert-rule create --scheduled-alert-rule etag="{etag}" query="ProtectionStatus | extend HostCustomEntity = Computer | extend IPCustomEntity = ComputerIP_Hidden" query-frequency="PT1H" query-period="P2DT1H30M" severity="High" trigger-operator="GreaterThan" trigger-threshold=0 description="" display-name="Rule2" enabled=true suppression-duration="PT1H" suppression-enabled=false tactics="Persistence" tactics="LateralMovement" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"Copy Code
Parameters required for az Sentinel alert rule
--resource-groupCopy Code
represent the resource group. For example, if the resource group is myRg then it will be:

--resource-group "myRg"Copy Code

The configurations on the default group can be done using 

az configure --defaults group=Copy Code
. This allows the user to change the name of the default group. Similarly, the alert rule id and the name of the workspace can be configured and given below.
 -- rule-idCopy Code

Alert rule ID
--workspace-nameCopy Code

The name of the workspace

Optional parameters
--action-idCopy Code

Action ID

--etagCopy Code

Represents the azure resource etag.

--fusion-alert-ruleCopy Code

It represents the Fusion alert rule

--logic-app-resource-idCopy Code

It represents the Resouce id of logic app, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}.

--microsoft-security-incident-creation-alert-ruleCopy Code

Here, the command constitutes for MicrosoftSecurityIncidentCreation rule.

--scheduled-alert-ruleCopy Code

The –Schedule-alert-rule represents the scheduled alert rule.

 --trigger-uriCopy Code

For this particular workflow trigger, the user can use this Logic App Callback URL.

Deleting the az sentinel alert rule

We can delete the action alert rule action and delete the entire alert rule itself. Type in the following command to delete the alert rule and the associated action.

 Azure CLICopy Code

az sentinel alert-rule delete --resource-group
--rule-id
--workspace-name
[--action-id]
[--yes]Copy Code

Let’s go through a couple of examples of deleting the alert rule.

Examples

To Delete an action of an alert rule the user must specify the rule and the action associated.

 Azure CLICopy Code

az sentinel alert-rule delete --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"Copy Code

Similarly, to delete an alert rule the user must specify the same as shown below.

 Azure CLICopy Code

az sentinel alert-rule delete --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"Copy Code

Parameters Required

Note that, the user can stick on to the same parameter as used in the create rule command. However, the user can use the optional parameters also as shown below.

--action-idCopy Code

Represents the action ID

--yes-yCopy Code

This cancels the confirmation prompt

az Sentinel alert rule get action

This command helps to get the action of the alert rule.  

Azure CLICopy Code

az sentinel alert-rule get-action --action-id
--resource-group
--rule-id
--workspace-nameCopy Code

Let us go through an example of applying the command.

Example

To get an action alert rule

 Azure CLICopy Code

az sentinel alert-rule get-action --action-id "{action-id}" --resource-group "myRg" --rule-id "{rule-id}" --workspace-name "myWorkspace"Copy Code

The required parameters are

--resource group -gCopy Code
,
- -rule-idCopy Code
, which represents the alert rule id, and the
--workspace-nameCopy Code
.

az sentinel alert rule

The az Sentinel alert-rule list gets all alert rules.

Azure CLICopy Code

az sentinel alert-rule list --resource-group
--workspace-nameCopy Code
Examples

To Get all alert rules

Azure CLICopy Code

az sentinel alert-rule list --resource-group "myRg" --workspace-name "myWorkspace"Copy Code

Required parameters

--resource-group -gCopy Code

Hence the –resource-group represents the group name. Therefore the default group can be configured using az

configure --defaults group=Copy Code
--workspace-nameCopy Code

Similarly, –workspace-name, represents the name of the workspace.

az sentinel alert-rule show

The az sentinel alert-rule show helps to get the alert rule.

Azure CLICopy Code

az sentinel alert-rule show --resource-group
--rule-id
--workspace-nameCopy Code

Let’s go through an example.

Example

To get an alert rule

Azure CLICopy Code

az sentinel alert-rule show --resource-group "myRg" --rule-id "myFirstFusionRule" --workspace-name "myWorkspace"Copy Code

Required parameters

--resource-group -gCopy Code

Represents the name of the resource group and it can be configured using az configure
--defaults group=Copy Code
.

--rule-idCopy Code

Represents the alert rule ID

--workspace-nameCopy Code

Constitute the name of the Workspace

az sentinel alert-rule update

The az sentinel alert rule updates the alert rule.

Azure CLICopy Code
az sentinel alert-rule update --resource-group
--rule-id
--workspace-name
[--add]
[--force-string]
[--fusion-alert-rule]
[--microsoft-security-incident-creation-alert-rule]
[--remove]
[--scheduled-alert-rule]
[--set]Copy Code

Required parameters

--resource -gCopy Code

Represents the name of the resource group. And the user can configure the default group using az configure

--defaults group=Copy Code
.

--rule-idCopy Code
: Denotes the alert rule ID

--workspace-nameCopy Code
: Represents the name of the workspace.

optional parameters

--addCopy Code

The user when adding an object to a list of objects, a path, and key-value pairs must be specified. For example: –add propty.listPropty <key=value, string or JSON string>.

--force-stringCopy Code
: Preserve string literals when using ‘set’ or ‘add’ rather than attempting to convert to JSON.

--fusion-alert-ruleCopy Code
: The –fusion-alert-rule represents the Fusion alert rule.

--microsoft-security-incident-creation-alert-ruleCopy Code
: Represents MicrosoftSecurityIncidentCreation rule.

--removeCopy Code
: This allows the user to remove an element from a list. For example: –remove element.list OR –remove elementToRemove. The same can be used for removing property also. And note that type in property instead of ‘element’.

--setCopy Code
: Specify a property path and value to set that can update an object. For example: –set prop1.prop2=.

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude, the azure sentinel alert rules act as triggers that activate under certain conditions. According to our Support Engineers, the azure sentinel alert rules can be created and managed effortlessly with a simple set of codes and commands.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Speed issues driving customers away?
We’ve got your back!