Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

How to Report When an Azure Sentinel Analytics Rule is Deleted

Azure Sentinel News Editor by Azure Sentinel News Editor
December 25, 2020
in Security and Compliance
0
Enriching Windows Security Events with Parameterized Function
3.9kViews
285 Shares Share on Facebook Share on Twitter

In this next chapter of producing alerts in Azure Sentinel for “watching the watchers” here’s a KQL query that can be used as an Analytics Rule or in a Workbook to report when an Analytics Rule is deleted and who did it.

The hope is that you can trust your colleagues and security team members, but it’s still good to have a record of who did what, when, and where. Imagine, if one of your security team members were disgruntled – one of the first things they might do is identify and eliminate tracking mechanisms prior to doing something nefarious in your environment. One of those things might be deleting an Analytics Rule that monitors for a specific activity they have planned.

I know, I know…this sounds far-fetched, unlikely, and hopefully just the seeds of a bad TV movie. But, aren’t we – as security engineers – directed to plan and prepare for any eventuality?

Anyway…take this as you will. It can be useful to understand when someone may (or may not) be attempting to cover their tracks.

//When an Analytics Rule is Deleted; Alert when an Analytics Rule is deleted and who did it. 

AzureActivity 
| where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE" 
| where ActivityStatusValue == "Success" 
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource) 
| extend AccountCustomEntity = Caller 
| extend IPCustomEntity = CallerIpAddress 
| extend URLCustomEntity = Analytics_Rule_ID

As with the Analytics Rule to track when a rule has been created or modified, this will produce the the user, the user’s IP address, and the Analytics Rule’s system ID in the Incident’s Entities.

The most current version of this Analytics Rule/KQL query is always located here: https://github.com/rod-trent/SentinelKQL/blob/master/AnalyticsRuleDeleted.txt

Reference: https://azurecloudai.blog/2020/12/03/how-to-report-when-an-azure-sentinel-analytics-rule-is-deleted/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
Microsoft announces security, identity, management, and compliance updates across Azure and Office

Azure Sentinel RBAC Review

ITC Secure Achieves Microsoft Gold Partner Status

Achieving SOC Operational Efficiency for Azure Sentinel Hunting – the Replay

Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

A few important updates to the Azure Sentinel CEF Connector

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft Azure Sentinel Uses Data Analytics to Improve Security

What’s New: Azure Firewall Connector in Public Preview!

3 months ago
O365 & AAD Multi-Tenant Custom Connector – Azure Sentinel

Looking Back at Microsoft Ignite 2019 – Tech Intensity, End to End Security and AI

3 months ago

Microsoft partners with the telecommunications industry to roll out 5G and more

4 months ago
Microsoft bolsters threat prevention capabilities for enterprises

Ingesting log files from AWS S3 using AWS Lambda

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SOC

How to be Mindful Against Dupes and Noise with the new Azure Sentinel/M365 Defender Integration

by Azure Sentinel News Editor
March 8, 2021
0

I’ve spent a good amount of time so far on this blog talking about steps on how...

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 5, 2021
Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to be Mindful Against Dupes and Noise with the new Azure Sentinel/M365 Defender Integration March 8, 2021
  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News