In this next chapter of producing alerts in Azure Sentinel for “watching the watchers” here’s a KQL query that can be used as an Analytics Rule or in a Workbook to report when an Analytics Rule is deleted and who did it.
The hope is that you can trust your colleagues and security team members, but it’s still good to have a record of who did what, when, and where. Imagine, if one of your security team members were disgruntled – one of the first things they might do is identify and eliminate tracking mechanisms prior to doing something nefarious in your environment. One of those things might be deleting an Analytics Rule that monitors for a specific activity they have planned.
I know, I know…this sounds far-fetched, unlikely, and hopefully just the seeds of a bad TV movie. But, aren’t we – as security engineers – directed to plan and prepare for any eventuality?
Anyway…take this as you will. It can be useful to understand when someone may (or may not) be attempting to cover their tracks.
//When an Analytics Rule is Deleted; Alert when an Analytics Rule is deleted and who did it. AzureActivity | where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE" | where ActivityStatusValue == "Success" | extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress | extend URLCustomEntity = Analytics_Rule_ID
As with the Analytics Rule to track when a rule has been created or modified, this will produce the the user, the user’s IP address, and the Analytics Rule’s system ID in the Incident’s Entities.
The most current version of this Analytics Rule/KQL query is always located here: https://github.com/rod-trent/SentinelKQL/blob/master/AnalyticsRuleDeleted.txt