cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Incidents from Analytics Rule template

jorgeghm
Copper Contributor

‎Jan 20 2023 04:08 AM

‎Jan 20 2023 04:08 AM

Incidents from Analytics Rule template

Hi all!

 

I have a limited knowledge on Sentinel and the MS products and tools but trying hard to understand the whole puzzle.

 

We have a splunk server acting as a SIEM which ingests data from Sentinel via webhook (this is out of my scope ATM).

 

There are a few types of incidents which I cannot find on "threat management -> incidents". This is the case of "URL Added to Application from Unknown Domain". I can find it on "Analytics -> Rule templates". Its source is Azure Active Directory but on the bottom of the rule details there is a note:

  • You haven't used this template yet; You can use it to create analytics rules.

  • One or more data sources used by this rule is missing. This might limit the functionality of the rule.

Also, a config item is " Create incidents from this rule: Enabled"

 

The way I understand this is: "Rule templates" don't generate incidents by itself so a rule must be created using the template and, if the template is configured to create incidents from the rule, then an incident would be created and it would be possible to find it in "threat management ->incidents".

 

Am I right or otherwise, the rule template can create the incident without a rule?

 

Anyway, why I cannot find the incident whitin the inciedent list? How could this incident went through splunk?

 

Thanks in advance for your knowledge :)

best regards

 

 

2,102 Views
0 Likes
6 Replies
Reply
6 Replies
GBushey

‎Jan 20 2023 09:41 AM - edited ‎Jan 20 2023 09:45 AM

‎Jan 20 2023 09:41 AM - edited ‎Jan 20 2023 09:45 AM

Re: Incidents from Analytics Rule template

@jorgeghm As you said, rules templates do nothing by themselves.  They serve as a template to create Analytic rules.  These get run which will find events.  The events will be grouped into alerts and then the alerts grouped into incidents. 

 

One reason I could think of that you are not seeing the incident in question is that it is closed in Sentinel.  By default, closed incidents are not shown in the Incidents page.  You would need to change the "status" filter to show closed incidents as well to see everything.

0 Likes
Reply
jorgeghm

‎Jan 23 2023 02:49 AM - edited ‎Jan 23 2023 02:49 AM

‎Jan 23 2023 02:49 AM - edited ‎Jan 23 2023 02:49 AM

Re: Incidents from Analytics Rule template

@GBusheythanks for the reply :)

 

So if we asume that template rule does not generate incidents if there is no rule using it, then it is fine if I cannot find the incident, that is the expected behaviour, there shouldn't be any incident, neither open or closed. Also there shouldn't be any event or alert, anything, rule template does nothing and rule template says there are no rules using it.

 

Therefore, why and how could data went to splunk throught Azure AD --> Sentinel? Just trying to find the missing puzzle piece :D.

 

Below data received by splunk. I have searched on sentinel by all type of field, keyword, severity, etc:

 

 

{"id": "<deleted>", "azureTenantId": "<deleted>", "azureSubscriptionId": "<deleted>", "category": "7e9ee75a-24ee-4133-aa74-b16cf2fd8291_21811d33-db66-4724-9412-9f54a40e11e0", "createdDateTime": "2023-01-19T22:31:38.5955752Z", "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", "eventDateTime": "2023-01-05T22:26:37.045Z", "lastModifiedDateTime": "2023-01-19T22:31:38.6040419Z", "severity": "high", "status": "newAlert", "title": "Authentication Methods Changed for Privileged Account", "vendorInformation": {"provider": "Azure Sentinel", "vendor": "Microsoft"}, "userStates": [{"accountName": "<deleted>", "domainName": "<deleted>", "emailRole": "unknown", "logonDateTime": "2023-01-05T22:26:37.045Z", "logonIp": "<deleted>", "userPrincipalName": "<deleted>"}]}

 

 

0 Likes
Reply
GBushey

‎Jan 23 2023 03:14 AM

‎Jan 23 2023 03:14 AM

Re: Incidents from Analytics Rule template

Sorry, I cannot answer that without being able to look into your system to see if there would be something else generating this message. Did you check closed incidents in Sentinel as those don't show up by default?
0 Likes
Reply
jorgeghm

‎Jan 23 2023 03:44 AM

‎Jan 23 2023 03:44 AM

Re: Incidents from Analytics Rule template

Yeah, I have also searched closed incidents , nothing. Anyway thanks for your help
0 Likes
Reply
GBushey

‎Jan 23 2023 09:54 AM

‎Jan 23 2023 09:54 AM

Re: Incidents from Analytics Rule template

When you did the search, did you search the SecurityIncident table or just use the UI? There is a new feature to delete incidents so maybe it got deleted?
0 Likes
Reply
Clive_Watson

‎Jan 24 2023 01:28 AM

‎Jan 24 2023 01:28 AM

Re: Incidents from Analytics Rule template

@GBushey 

I would expect to see that data in OfficeActivity or CloudAppEvents tables

This should  find it - and list the tables the messages are in, when we know where the data is seen a Use Case can be enabled (or built) from the templates. 

 search  "Authentication Methods Changed for Privileged Account"
| where TimeGenerated between (ago(30d) .. now())
//| where TimeGenerated between (datetime(2022-12-01) .. datetime(2023-01-21))
| summarize count(), min(TimeGenerated), max(TimeGenerated) by Type

 

1 Like
Reply