Jan 20 2023 04:08 AM
Hi all!
I have a limited knowledge on Sentinel and the MS products and tools but trying hard to understand the whole puzzle.
We have a splunk server acting as a SIEM which ingests data from Sentinel via webhook (this is out of my scope ATM).
There are a few types of incidents which I cannot find on "threat management -> incidents". This is the case of "URL Added to Application from Unknown Domain". I can find it on "Analytics -> Rule templates". Its source is Azure Active Directory but on the bottom of the rule details there is a note:
You haven't used this template yet; You can use it to create analytics rules.
One or more data sources used by this rule is missing. This might limit the functionality of the rule.
Also, a config item is " Create incidents from this rule: Enabled"
The way I understand this is: "Rule templates" don't generate incidents by itself so a rule must be created using the template and, if the template is configured to create incidents from the rule, then an incident would be created and it would be possible to find it in "threat management ->incidents".
Am I right or otherwise, the rule template can create the incident without a rule?
Anyway, why I cannot find the incident whitin the inciedent list? How could this incident went through splunk?
Thanks in advance for your knowledge :)
best regards
Jan 20 2023 09:41 AM - edited Jan 20 2023 09:45 AM
@jorgeghm As you said, rules templates do nothing by themselves. They serve as a template to create Analytic rules. These get run which will find events. The events will be grouped into alerts and then the alerts grouped into incidents.
One reason I could think of that you are not seeing the incident in question is that it is closed in Sentinel. By default, closed incidents are not shown in the Incidents page. You would need to change the "status" filter to show closed incidents as well to see everything.
Jan 23 2023 02:49 AM - edited Jan 23 2023 02:49 AM
@GBusheythanks for the reply :)
So if we asume that template rule does not generate incidents if there is no rule using it, then it is fine if I cannot find the incident, that is the expected behaviour, there shouldn't be any incident, neither open or closed. Also there shouldn't be any event or alert, anything, rule template does nothing and rule template says there are no rules using it.
Therefore, why and how could data went to splunk throught Azure AD --> Sentinel? Just trying to find the missing puzzle piece :D.
Below data received by splunk. I have searched on sentinel by all type of field, keyword, severity, etc:
{"id": "<deleted>", "azureTenantId": "<deleted>", "azureSubscriptionId": "<deleted>", "category": "7e9ee75a-24ee-4133-aa74-b16cf2fd8291_21811d33-db66-4724-9412-9f54a40e11e0", "createdDateTime": "2023-01-19T22:31:38.5955752Z", "description": "Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", "eventDateTime": "2023-01-05T22:26:37.045Z", "lastModifiedDateTime": "2023-01-19T22:31:38.6040419Z", "severity": "high", "status": "newAlert", "title": "Authentication Methods Changed for Privileged Account", "vendorInformation": {"provider": "Azure Sentinel", "vendor": "Microsoft"}, "userStates": [{"accountName": "<deleted>", "domainName": "<deleted>", "emailRole": "unknown", "logonDateTime": "2023-01-05T22:26:37.045Z", "logonIp": "<deleted>", "userPrincipalName": "<deleted>"}]}
Jan 23 2023 03:14 AM
Jan 23 2023 03:44 AM
Jan 23 2023 09:54 AM
Jan 24 2023 01:28 AM
I would expect to see that data in OfficeActivity or CloudAppEvents tables
This should find it - and list the tables the messages are in, when we know where the data is seen a Use Case can be enabled (or built) from the templates.
search "Authentication Methods Changed for Privileged Account"
| where TimeGenerated between (ago(30d) .. now())
//| where TimeGenerated between (datetime(2022-12-01) .. datetime(2023-01-21))
| summarize count(), min(TimeGenerated), max(TimeGenerated) by Type