Trigger an alert when the existing alert is modified or deleted

%3CLINGO-SUB%20id%3D%22lingo-sub-1608280%22%20slang%3D%22en-US%22%3ETrigger%20an%20alert%20when%20the%20existing%20alert%20is%20modified%20or%20deleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608280%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20create%20an%20alert%20and%20get%20triggered%20when%20the%20existing%20rules%20are%20been%20modified%20or%20deleted.%3C%2FP%3E%3CP%3ECan%20some%20one%20how%20to%20design%20it%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608586%22%20slang%3D%22en-US%22%3ERe%3A%20Trigger%20an%20alert%20when%20the%20existing%20alert%20is%20modified%20or%20deleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709789%22%20target%3D%22_blank%22%3E%40ss1247%3C%2FA%3E%26nbsp%3BUnfortunately%20it%20does%20not%20appear%20that%20the%20last%20modified%20date%2Ftime%20or%20last%20modified%20by%20is%20stored%20anywhere%20for%20Analytics%20rules.%26nbsp%3B%20%26nbsp%3BI%20did%20add%20a%20request%20for%20this%20information%20to%20be%20saved%20somewhere%20as%20it%20is%20needed%20for%20MSSPs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F41084323-track-created-by-and-modified-by-for-analytic-rule%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F41084323-track-created-by-and-modified-by-for-analytic-rule%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610194%22%20slang%3D%22en-US%22%3ERe%3A%20Trigger%20an%20alert%20when%20the%20existing%20alert%20is%20modified%20or%20deleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610194%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709789%22%20target%3D%22_blank%22%3E%40ss1247%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20get%20the%20Rule%20info%20from%20the%20api%2C%20I've%20done%20this%20in%20a%20workbook%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-the-sentinel-api-to-view-data-in-a-workbook%2Fba-p%2F1386436%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-the-sentinel-api-to-view-data-in-a-workbook%2Fba-p%2F1386436%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20add%20this%20to%20a%20Playbook%20(ideal)%20or%20just%20look%20at%20the%20Workbook%20occasionally%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-08-25%20113747.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214618i94AAC78A10D5F907%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-08-25%20113747.jpg%22%20alt%3D%22Annotation%202020-08-25%20113747.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1610464%22%20slang%3D%22en-US%22%3ERE%3A%20Trigger%20an%20alert%20when%20the%20existing%20alert%20is%20modified%20or%20deleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1610464%22%20slang%3D%22en-US%22%3EMy%20bad.%20I%20see%20you%20can%20indeed%20get%20the%20last%20modified%20date.%20Now%20if%20we%20could%20just%20add%20who%20last%20modified%20it%20that%20would%20be%20great%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1648433%22%20slang%3D%22en-US%22%3ERe%3A%20Trigger%20an%20alert%20when%20the%20existing%20alert%20is%20modified%20or%20deleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1648433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709789%22%20target%3D%22_blank%22%3E%40ss1247%3C%2FA%3E%26nbsp%3Bif%20you%20want%20to%20trigger%20an%20alert%20when%20existing%26nbsp%3B%3CSTRONG%3Eanalytic%20rules%3C%2FSTRONG%3E%20are%20deleted%20or%20modified%20you%20could%20use%20the%20below%20KQL%20queries%20(just%20replace%20%3CRESOURCEGROUPNAME%3E%20with%20the%20name%20of%20the%20actual%20resource%20group%20were%20you%20have%20Azure%20Sentinel)%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FRESOURCEGROUPNAME%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20sentinelResourceGroups%20%3D%20dynamic(%5B%22%3CRESOURCEGROUPNAME%3E%22%5D)%3B%0AAzureActivity%0A%7C%20where%20OperationName%20%3D~%20%22Delete%20Alert%20Rules%22%0A%7C%20where%20ResourceGroup%20in%20(sentinelResourceGroups)%0A%7C%20where%20ActivityStatus%20%3D~%20%22Succeeded%22%0A%7C%20extend%20AlertRuleId%20%3D%20Resource%0A%7C%20project%20TimeGenerated%2C%20Caller%2C%20CallerIpAddress%2C%20OperationName%2C%20OperationNameValue%2C%20Result%20%3D%20ActivityStatus%2C%20AlertRuleId%2C%20ResourceId%0A%7C%20extend%20AccountCustomEntity%20%3D%20Caller%2C%20IPCustomEntity%20%3D%20CallerIpAddress%3C%2FRESOURCEGROUPNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20sentinelResourceGroups%20%3D%20dynamic(%5B%22%3CRESOURCEGROUPNAME%3E%22%5D)%3B%0AAzureActivity%0A%7C%20where%20OperationName%20%3D~%20%22Update%20Alert%20Rules%22%0A%7C%20where%20ResourceGroup%20in%20(sentinelResourceGroups)%0A%7C%20where%20ActivityStatus%20%3D~%20%22Succeeded%22%0A%7C%20extend%20AlertRuleId%20%3D%20Resource%0A%7C%20project%20TimeGenerated%2C%20Caller%2C%20CallerIpAddress%2C%20OperationName%2C%20OperationNameValue%2C%20Result%20%3D%20ActivityStatus%2C%20AlertRuleId%2C%20ResourceId%0A%7C%20extend%20AccountCustomEntity%20%3D%20Caller%2C%20IPCustomEntity%20%3D%20CallerIpAddress%3C%2FRESOURCEGROUPNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1651094%22%20slang%3D%22en-US%22%3ERe%3A%20Trigger%20an%20alert%20when%20the%20existing%20alert%20is%20modified%20or%20deleted%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651094%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709789%22%20target%3D%22_blank%22%3E%40ss1247%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ealert%20query%20when%20modified%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAzureActivity%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20where%20OperationNameValue%20contains%20%22MICROSOFT.SECURITYINSIGHTS%2FALERTRULES%2FWRITE%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20where%20ActivityStatusValue%20%3D%3D%20%22Succeeded%22%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20extend%20Analytics_Rule_ID%20%3D%20tostring(parse_json(Properties).resource)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%7C%20project%20TimeGenerated%20%2C%20CallerIpAddress%20%2C%20Caller%20%2C%20Analytics_Rule_ID%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I would like to create an alert and get triggered when the existing rules are been modified or deleted.

Can some one how to design it

5 Replies

@ss1247 Unfortunately it does not appear that the last modified date/time or last modified by is stored anywhere for Analytics rules.   I did add a request for this information to be saved somewhere as it is needed for MSSPs

 

https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/41084323-track-created-by-and-mo...

@Gary Bushey @ss1247 

 

You can get the Rule info from the api, I've done this in a workbook https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-sentinel-api-to-view-data-in-a-workb...

You could add this to a Playbook (ideal) or just look at the Workbook occasionally?

 

Annotation 2020-08-25 113747.jpg

My bad. I see you can indeed get the last modified date. Now if we could just add who last modified it that would be great :)

@ss1247 if you want to trigger an alert when existing analytic rules are deleted or modified you could use the below KQL queries (just replace <resourceGroupName> with the name of the actual resource group were you have Azure Sentinel):

let sentinelResourceGroups = dynamic(["<resourceGroupName>"]);
AzureActivity
| where OperationName =~ "Delete Alert Rules"
| where ResourceGroup in (sentinelResourceGroups)
| where ActivityStatus =~ "Succeeded"
| extend AlertRuleId = Resource
| project TimeGenerated, Caller, CallerIpAddress, OperationName, OperationNameValue, Result = ActivityStatus, AlertRuleId, ResourceId
| extend AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

 

let sentinelResourceGroups = dynamic(["<resourceGroupName>"]);
AzureActivity
| where OperationName =~ "Update Alert Rules"
| where ResourceGroup in (sentinelResourceGroups)
| where ActivityStatus =~ "Succeeded"
| extend AlertRuleId = Resource
| project TimeGenerated, Caller, CallerIpAddress, OperationName, OperationNameValue, Result = ActivityStatus, AlertRuleId, ResourceId
| extend AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

@ss1247 

alert query when modified:

 

AzureActivity

| where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"

| where ActivityStatusValue == "Succeeded"

| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)

| project TimeGenerated , CallerIpAddress , Caller , Analytics_Rule_ID