Forum Discussion

jorgeghm's avatar
jorgeghm
Copper Contributor
Jan 20, 2023

Incidents from Analytics Rule template

Hi all!   I have a limited knowledge on Sentinel and the MS products and tools but trying hard to understand the whole puzzle.   We have a splunk server acting as a SIEM which ingests data from S...
integration
investigation
Log Data
siem
jorgeghm's avatar
jorgeghm
Copper Contributor
Jan 23, 2023

GBusheythanks for the reply 🙂

 

So if we asume that template rule does not generate incidents if there is no rule using it, then it is fine if I cannot find the incident, that is the expected behaviour, there shouldn't be any incident, neither open or closed. Also there shouldn't be any event or alert, anything, rule template does nothing and rule template says there are no rules using it.

 

Therefore, why and how could data went to splunk throught Azure AD --> Sentinel? Just trying to find the missing puzzle piece :D.

 

Below data received by splunk. I have searched on sentinel by all type of field, keyword, severity, etc:

 

 

{"id": "<deleted>", "azureTenantId": "<deleted>", "azureSubscriptionId": "<deleted>", "category": "7e9ee75a-24ee-4133-aa74-b16cf2fd8291_21811d33-db66-4724-9412-9f54a40e11e0", "createdDateTime": "2023-01-19T22:31:38.5955752Z", "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", "eventDateTime": "2023-01-05T22:26:37.045Z", "lastModifiedDateTime": "2023-01-19T22:31:38.6040419Z", "severity": "high", "status": "newAlert", "title": "Authentication Methods Changed for Privileged Account", "vendorInformation": {"provider": "Azure Sentinel", "vendor": "Microsoft"}, "userStates": [{"accountName": "<deleted>", "domainName": "<deleted>", "emailRole": "unknown", "logonDateTime": "2023-01-05T22:26:37.045Z", "logonIp": "<deleted>", "userPrincipalName": "<deleted>"}]}

 

 

GBushey's avatar
GBushey
Former Employee
Jan 23, 2023
Sorry, I cannot answer that without being able to look into your system to see if there would be something else generating this message. Did you check closed incidents in Sentinel as those don't show up by default?
  • jorgeghm's avatar
    jorgeghm
    Copper Contributor
    Jan 23, 2023
    Yeah, I have also searched closed incidents , nothing. Anyway thanks for your help
    • GBushey's avatar
      GBushey
      Former Employee
      Jan 23, 2023
      When you did the search, did you search the SecurityIncident table or just use the UI? There is a new feature to delete incidents so maybe it got deleted?
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Jan 24, 2023

        GBushey 

        I would expect to see that data in OfficeActivity or CloudAppEvents tables

        This should  find it - and list the tables the messages are in, when we know where the data is seen a Use Case can be enabled (or built) from the templates. 

         search  "Authentication Methods Changed for Privileged Account"
| where TimeGenerated between (ago(30d) .. now())
//| where TimeGenerated between (datetime(2022-12-01) .. datetime(2023-01-21))
| summarize count(), min(TimeGenerated), max(TimeGenerated) by Type

         

Resources