Blog Post

ITOps Talk Blog
4 MIN READ

Azure Sentinel: Using rule templates

SoniaCuff's avatar
SoniaCuff
Icon for Microsoft rankMicrosoft
Jan 04, 2021

Microsoft's Azure Sentinel, our Security Incident and Event Management (SIEM) solution, enables you to connect activity data from different sources into a shared workspace. That data ingestion is just the first step in the process though. The power comes from what you can now do with that data, including investigating incident alerts, building your own dashboards with workbooks, responding to threats with security playbooks and hunting for security threats.

 

Let's take a look at some of the built-in rule templates that you can activate, to query and alert on that data.

 

Built-in rule templates
Your active rules and the list of available rule templates can be found in Azure Sentinel under Configuration\Analytics:

Azure Sentinel Analytics menu

The rule templates are published by Microsoft and are updated and added to as new events and threats are detected, classified as low, medium or high severity. There are currently just under 200 rule templates covering 38 different data sources, both from Microsoft and third parties.

 

Some of the rule templates in Azure Sentinel

 

Examples

There are rule templates to create incidents in Azure Sentinel based on alerts from Azure Security Center, Office 365 Advanced Threat Protection (Preview) and Microsoft Defender Advanced Threat Protection. This helps you build one place to manage and investigate threats across different Microsoft products.

 

There are individual rules for Microsoft and non-Microsoft products:

High First access credential added to Application or Service Principal where no credential was present Azure Active Directory
Medium Rare application consent  Azure Active Directory
Medium Full Admin policy created and then attached to Roles, Users or Groups Amazon Web Services
Low Changes to AWS Security Group ingress and egress settings Amazon Web Services
Medium Known Malware Detected VMWare Carbon Black Endpoint Standard (preview)
Medium Port scan detected Sophos XG Firewall (preview)
Medium New internet-exposed SSH endpoints Syslog
Low Request for single resource on domain Zscaler

 

There are also rules that combine more than one product, linking events that could indicate a possible incident: 

High Anomalous login followed by Teams action Office 365 + Azure Active Directory
High Multiple password reset by user Azure Active Directory + Security Events + Syslog + Office 365

 

And there are rules that detect a known threat from different data sources:

High Known IRIDIUM IP Office 365, DNS (preview), Cisco ASA, Palo Alto Networks, Security Events, Azure Active Directory, Azure Activity, Amazon Web Services
High THALLIUM domains included in DCU takedown DNS (preview), Cisco ASA, Palo Alto Networks

 

Anatomy of a rule template
As well as a severity and a list of the data source/s for this rule, a description tells you why this rule is important and may give you links to other relevant information.

 

Azure Sentinel rule template description

 

The rule type can be:
Microsoft Security - these rules automatically create Azure Sentinel incidents from alerts generated in other Microsoft security products, in real time.
Scheduled - these run periodically based on the settings you configure and allow you to alter the query logic.
ML Behaviour Analytics - these are based on proprietary Microsoft machine learning algorithms, so you can't see of change the query logic.
Fusion - this detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default. For more information on Fusion incident types, visit Advanced multistage attack detection in Azure Sentinel. 

The tactics icons show what kind of threat this rule is related to:
Credential access, command and control, initial access, impact, defence evasion, collection, persistence, lateral movement, privilege escalation.

 

You can also see the details of the rule query, written in Kusto Query Language (KQL).

 

Scheduled rules have a frequency, a rule period and a rule threshold, and may allow event grouping, suppression, the creation of incidents from this alert and alert grouping.

Rule template settings for a scheduled rule

 

Creating a rule from a rule template
To turn a rule template into an active rule for your environment, you just select the Create rule button. With the wizard, you can then customize any rule settings or the rule logic itself (if appropriate) and you will be warned if you don't have the required data sources connected.

 

Choosing your rules

Azure Sentinel gives you a very powerful security capability, but it's up to you to decide how to apply it to your organization. The built-in rule templates are a great start, or you may also choose to build your own queries. Take a look at the data sources across your environment and what security incident and event monitoring tools and processes you already have in place. What in particular do you need to monitor - network attacks? logins of administrative accounts? events from different systems that may be related?

 

In addition, the Azure security baseline for Azure Sentinel takes guidance from the Azure Security Benchmark's security controls.   

 

 

Learn more:

MS Learn - Cloud-native security operations with Azure Sentinel

Docs - Tutorial: Detect threats out of the box

Docs - Tutorial: Create custom analytics rules to detect threats

Docs - Extend Azure Sentinel across workspaces and tenants

 

 

 

 

 

Updated Jan 04, 2021
Version 2.0
  • Hi All,

    Hereby the script is was talking about before to create detection rules of multiple rules templates in Microsoft Sentinel

    I've added a readme file to the GitHub page explaining the parameters and options that can be used.

    What the script does, is excepting an list of data connectors, and enable the alert rules for these data connectors.
    You can also use a watchlist as an input to enable the rules based on the enabled connectors.

     

    A log file will be created for rules that gave an error on enabling. This due to some mismatches in tactics and techniques configured in some of the build-in rules.

    https://github.com/SecureHats/SecureHacks/tree/main/scripts/Azure/Sentinel/Enable-AlertRules 

     

     

    Looking formward to you feedback 😉

    thommck-on-twitter bertschronja 

  • SimonTTUK's avatar
    SimonTTUK
    Brass Contributor

    Is there a programmatic mechanism to automate creation of rules from templates? I have found the basic automation of Sentinel documentation including information on creating custom rules. 

    However there appears to be no mechanism to automate creation of rules from the templates.

     

    Thanks, Simon

  • Hi SimonTTUK 
    I'm working on a script to automatically enable and update detection rules based on the active data connectors.
    When this script it scheduled, it will create, update or enable any new rule that is available in the rule templates.

    Let me know if you are interested so I can send you the link to my Github.

    Kind Regards,
    Rogier Dijkman (SecureHats)

  • bertschronja's avatar
    bertschronja
    Copper Contributor

    Hi Sonia, thanks for the great article! I am wondering if there is any possibility to get notified when new rule templates are published? Further, if a rule template changes its content (e.g. query) will this affect my active rules based on this specific template?

  • bertschronja currently there is no built-in way to check for rule template updates, however the product group has heard customer feedback on this. Stay tuned to https://aka.ms/asnew and the Sentinel tech community blog for future updates and announcements.

     

    In answer to your second question, if a template is changed it will not affect your active rules - they will stay the same unless you edit them.