Aug 24 2020 08:15 AM
I would like to create an alert and get triggered when the existing rules are been modified or deleted.
Can some one how to design it
Aug 24 2020 10:36 AM
@ss1247 Unfortunately it does not appear that the last modified date/time or last modified by is stored anywhere for Analytics rules. I did add a request for this information to be saved somewhere as it is needed for MSSPs
Aug 25 2020 03:40 AM
You can get the Rule info from the api, I've done this in a workbook https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-sentinel-api-to-view-data-in-a-workb...
You could add this to a Playbook (ideal) or just look at the Workbook occasionally?
Aug 25 2020 05:48 AM
Sep 09 2020 06:26 AM
@ss1247 if you want to trigger an alert when existing analytic rules are deleted or modified you could use the below KQL queries (just replace <resourceGroupName> with the name of the actual resource group were you have Azure Sentinel):
let sentinelResourceGroups = dynamic(["<resourceGroupName>"]);
AzureActivity
| where OperationName =~ "Delete Alert Rules"
| where ResourceGroup in (sentinelResourceGroups)
| where ActivityStatus =~ "Succeeded"
| extend AlertRuleId = Resource
| project TimeGenerated, Caller, CallerIpAddress, OperationName, OperationNameValue, Result = ActivityStatus, AlertRuleId, ResourceId
| extend AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
let sentinelResourceGroups = dynamic(["<resourceGroupName>"]);
AzureActivity
| where OperationName =~ "Update Alert Rules"
| where ResourceGroup in (sentinelResourceGroups)
| where ActivityStatus =~ "Succeeded"
| extend AlertRuleId = Resource
| project TimeGenerated, Caller, CallerIpAddress, OperationName, OperationNameValue, Result = ActivityStatus, AlertRuleId, ResourceId
| extend AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
Sep 09 2020 05:02 PM - edited Sep 09 2020 05:08 PM
alert query when modified:
AzureActivity
| where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"
| where ActivityStatusValue == "Succeeded"
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)
| project TimeGenerated , CallerIpAddress , Caller , Analytics_Rule_ID