SOLVED

Writing rules for legacy server feeds

Occasional Contributor

Hi, I'm new to Sentinel with my only real experience being the MS Sentinel Ninja training.


I have a list of events from an existing SIEM that I need to replicate in Sentinel using data coming from on-premise MS AD servers.

When I went to write my first rule I found most of template queries seem to be Azure AD based queries.

 
Could someone please point me to (or show me) examples of writing queries for on-premise data feeds to meet the following sample of requirements:

REQ-006

Send a weekly email containing all occurrences of Windows event 1102 in last 1 week

Type: Event: Windows audit log cleared (event 1102)

 

REQ-010 Send an hourly email containing all occurrences of changes to “Domain Admins” and “G_Client Support Staff” AD groups

Type: AD group change: Domain Admins


 REQ-017 Upon occurrence of proxy log URLS matching AusCert IoC list, an email must be sent

Type: IoC Matching: URL (from Proxy logs) matches AusCert IoC list

 

Thanks in anticipation

6 Replies
Some of these rules are already in the analytics templates.
Have you looked into the rules with data 'security events'?
That's what you need here

@Thijs Lecomte 

Hi there and thanks for the reply.
Yes I have looked through the templates and I made some reasonable progress over the weekend, but also hit a lot of challenges on the way!
Not the least of which is that the preview release won't allow alert schedules of more than one day so I'm still trying to figure out how to do the once a week and once a month reports.
e.g. 
 

AutomationMan_0-1598223223910.jpeg

Other challenges include the need to set up Logic Apps and create a playbook just to send a response email and in doing that, having to resolve automation issues composing and sending the email.  

 

I've yet to work through the integration of threat feeds so I can use the TI_rules to do the IoC matching requirements although I have found the page describing that process.
https://docs.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence

 

 

best response confirmed by AutomationMan (Occasional Contributor)
Solution
Hi

For the schedules, I would do it another way
You could write a script which runs a query for you and then shoots an email.
That is probably the preferred way as you are looking for reporting, not alerting.

For emails, it's true Logic Apps is the only way. For something simple as email, I agree that it's a bit of a hassle to go through

Uploading TI's is also possible through API, which might be easier for a few quick tests

@Thijs Lecomte

Thank you for your input.
As I get more of an understanding of how the ecosystem fits together I am understanding more of what tables I need to query and what entities within those tables are/are-not populated from their sources.


We were asked to replicate what one SIEM (splunk) was being used for, in another SIEM (Sentinel) but now understanding that Logic Apps is actually the preferred (and in some case perhaps the only practical) way to achieve the email reporting function we were required to provide from Log Analytics, helped me clarify the definition of Sentinel as a SIEM (+SOAR)  vs just being a glorified report generator which it is not really designed for! 

 

It all starts to make more sense now :)  

 

My new challenge is getting the LA Playbook query output parsed up and presented in a neat email format, but I seem to be winning with that too now :)

@Thijs Lecomte Thanks for that! Its that sort of example stuff that's helpful to see how or better ways to do things when you are new to the language.

Cheers