I have a question, and I'm not sure how to proceed further until I'm getting an answer for it.
We have already setup Azure Sentinel about 1 year ago, but the changes/customizations have been done through the UI. Now I'd like to migrate those changes in the repository we use for this purpose. I would like to "export" the rules/connectors/playbooks we're using in Sentinel, and I've moved forward with this by using the Az.SecurityInsights module ( https://docs.microsoft.com/en-us/powershell/module/az.securityinsights/get-azsentinelalertrule?view=azps-5.6.0 ). I've managed to get a JSON of all Analytics rules, but I noticed that the format is a little bit different from the one in your examples - I've attached a redacted sample below from the output of running Get-AzSentinelAlertRule
{
"AlertRuleTemplateName": "aa1eff90-29d4-49dc-a3ea-b65199f516db",
"DisplayName": "New user created and added to the built-in administrators group",
"Description": "Identifies when a user account was created and then added to the builtin Administrators group in the same day.\nThis should be monitored closely and all additions reviewed.",
"Enabled": true,
"LastModifiedUtc": "2020-02-28T16:32:50.2423224Z",
"Query": "let timeframe = 1d;\nSecurityEvent\n| where TimeGenerated > ago(timeframe) \n| where EventID == 4720\n| where AccountType == \"User\"\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \nCreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName\n|join (\nSecurityEvent \n| where TimeGenerated > ago(timeframe) \n| where AccountType == \"User\"\n// 4732 - A member was added to a security-enabled local group\n| where EventID == 4732\n//TargetSid is the builin Admins group: S-1-5-32-544\n| where TargetSid == \"S-1-5-32-544\"\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, \nDomain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName), \nCreatedUserSid = MemberSid\n)\non CreatedUserSid\n//Create User first, then the add to the group.\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, \nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid \n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer",
"QueryFrequency": {
"Ticks": 864000000000,
"Days": 1,
"Hours": 0,
"Milliseconds": 0,
"Minutes": 0,
"Seconds": 0,
"TotalDays": 1.0,
"TotalHours": 24.0,
"TotalMilliseconds": 86400000.0,
"TotalMinutes": 1440.0,
"TotalSeconds": 86400.0
},
"QueryPeriod": {
"Ticks": 864000000000,
"Days": 1,
"Hours": 0,
"Milliseconds": 0,
"Minutes": 0,
"Seconds": 0,
"TotalDays": 1.0,
"TotalHours": 24.0,
"TotalMilliseconds": 86400000.0,
"TotalMinutes": 1440.0,
"TotalSeconds": 86400.0
},
"Severity": "Low",
"SuppressionDuration": {
"Ticks": 180000000000,
"Days": 0,
"Hours": 5,
"Milliseconds": 0,
"Minutes": 0,
"Seconds": 0,
"TotalDays": 0.20833333333333334,
"TotalHours": 5.0,
"TotalMilliseconds": 18000000.0,
"TotalMinutes": 300.0,
"TotalSeconds": 18000.0
},
"SuppressionEnabled": false,
"TriggerOperator": "GreaterThan",
"TriggerThreshold": 0,
"Tactics": [
"Persistence",
"PrivilegeEscalation"
],
"Id": "/subscriptions/*REDACTED*/resourceGroups/*REDACTED*/providers/Microsoft.OperationalInsights/workspaces/bv-sentinel/providers/Microsoft.SecurityInsights/alertRules/362b5df5-c89a-4e9e-bcb5-9c663970f909",
"Name": "*REDACTED*-9c663970f909",
"Type": "Microsoft.SecurityInsights/alertRules",
"Etag": "\"*REDACTED*\"",
"Kind": "Scheduled"
},
I am not very sure on the behaviour of running the deploy - I wouldn't want to mess with the current configurations, as we don't have versioning for them. My end goal is to "export" the current configuration we have in Sentinel and to apply it in code, and once we have this deployment method working, we would configure Sentinel UI to be read-only for analytic rules/connectors/etc.
Please let me know if I'm taking the wrong approach.
Thank you,
Microsoft