Azure Sentinel custom alert named based on detected resource

Posted on 11/01/2021 by azsec

I got a question from a friend today asking if he could customize alert name based on the detected resource. He was in charge of building rule set for monitoring Azure Key Vault resources. He wanted to see something like “SecretGet request on xyz-keyvault resource at 2021-11-01T20:59:50.1370000Z

In this article, we will see how we can customize an alert name based on the detection rule’s output dynamically.

So here is what you can achieve:

Below is the query used in this article:

let TargetKeyVaults = dynamic (
  [
    "shared-corporate-kv",
    "azsec-kv"
  ]
);
AzureDiagnostics
| where ResourceProvider =~ "MICROSOFT.KEYVAULT"
| where Resource in~ (TargetKeyVaults)
| project TimeGenerated, 
          OperationName, 
          KeyVaultName = Resource, 
          ResourceGroup, 
          CallerIPAddress

There are several ways to build a custom alert name. In this article we will see what to do with Azure Portal and Azure ARM template.

Azure Portal

From Azure Portal, when creating a new analytics rule, Azure Sentinel allows you to dynamically set alert name based on the query’s result. On “Set rule logic” tab, expand Alert details under Alert enrichment. From here you can include dynamically value of columns from the query’s output. From the sample rule above, I have the following outputs:

  • TimeGenerated
  • OperationName
  • KeyVaultName (map to Resource column)
  • ResourceGroup
  • CallerIPAdress

With these outputs I can use them to concatenate my alert name as follows:

{{OperationName}} request to {{KeyVaultName}} Key Vault at {{TimeGenerated}}

If you don’t want to limit yourself from using these outputs don’t use project() function.

This feature supports up to 3 outputs as of this article.

Azure ARM Template

You may want to put everything for an analytics rule in an Azure ARM template. In this case, you can define in alertDetailsOverride property. (Refer to line #127)

...
"alertDetailsOverride": {
  "alertDisplayNameFormat": "{{OperationName}} request to {{KeyVaultName}} Key Vault at {{TimeGenerated}}",
  "alertDescriptionFormat": "{{OperationName}} request to {{KeyVaultName}} Key Vault at {{TimeGenerated}}",
...

Why do we need this feature? It is good for your SOC team to quickly triage when they know that some resources may be used for testing so they can close incidents without investigating.

This entry was posted in Security Automation and tagged . Bookmark the permalink.

1 Response to Azure Sentinel custom alert named based on detected resource

  1. Pingback: Azure Sentinel Analytics Rule ARM Template -Microsoft Azure Security Randomness

Leave a Reply

Your email address will not be published. Required fields are marked *