Blog Post

Microsoft Sentinel Blog
15 MIN READ

Deploying and Managing Microsoft Sentinel as Code

Javier-Soriano's avatar
Javier-Soriano
Icon for Microsoft rankMicrosoft
Jan 28, 2020
  Philippe Zenhaeusern and Javier Soriano co-author this blog post.   This blog post serves as a guideline for implementing Sentinel as Code. You may need to update the scripts for your env...
clipboard_image_1.png
Updated Mar 06, 2025
Version 19.0
microsoft sentinel
security
Pouyan Khabazi's avatar
Pouyan Khabazi
Brass Contributor
Mar 15, 2020

hi kay106 Just tested your example query and was able to successfully create the alert rule using the import function, see below the JSON file I have used:

{
  "analytics": [
    {
      "displayName": "AlertRule010001",
      "description": "",
      "severity": "Medium",
      "enabled": true,
      "query": "let starttime = 14d;
      let endtime = 1d;
      // The number of operations below which an IP address is considered an unusual source of role assignment operations
      let alertOperationThreshold = 5;
      let createRoleAssignmentActivity = AzureActivity
      | where OperationName == \"Create role assignment\";
      createRoleAssignmentActivity
      | where TimeGenerated between (ago(starttime) .. ago(endtime))
      | summarize count() by CallerIpAddress, Caller
      | where count_ >= alertOperationThreshold
      | join kind = rightanti (
      createRoleAssignmentActivity
      | where TimeGenerated > ago(endtime)
      | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus),
      OperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count()
      by ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup
      ) on CallerIpAddress, Caller
      | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress",
      "queryFrequency": "5H",
      "queryPeriod": "6H",
      "triggerOperator": "GreaterThan",
      "triggerThreshold": 5,
      "suppressionDuration": "6H",
      "suppressionEnabled": false,
      "tactics": [
        "Persistence",
        "LateralMovement",
        "Collection"
      ],
      "playbookName": ""
    }
  ]
}

Output: 

 

please let me know if you keep experiencing error's, you can also open an issue on GitHub and share your error message etc. with us for further troubleshooting: https://github.com/wortell/AZSentinel/issues