Filter Azure Security Center alert name in Azure Sentinel incident rule

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.

While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.

To modify a rule, simply go to Analytics and pick the rule.

There are two options:

  • Include specific alerts
  • Exclude specific alerts

They are self-explanatory. For example I would only care about some of the alerts whose name contains some common keywords like brute-force (e.g. Failed SSH Brute-force attack), malicious (e.g Network communication with a malicious machine detected), or anonymous (e.g Anonymous access to a storage account).

Again, this is not a recommended practice to do because you might miss (if you do exclusion option) or include noisy one. Filtering based on name is not good enough. You do need advanced filtering which would give you the ability to filter based on specific value in alert properties and entities (e.g. exclude if alert is anonymous access from an allowed public storage account).

You might want to use Azure Logic App to do the filter (without using built-in Microsoft Incident creation rule) and create a customized Azure Sentinel incident but that would take much efforts.

There is a feature for that but that is under private preview. Stay tuned on AzSec for more information in the future.

 

This entry was posted in Security Operation and tagged . Bookmark the permalink.

Leave a Reply