I got a question from a friend today asking if he could customize alert name based on the detected resource. He was in charge of building rule set for monitoring Azure Key Vault resources. He wanted to see something like “SecretGet request on xyz-keyvault resource at 2021-11-01T20:59:50.1370000Z”
In this article, we will see how we can customize an alert name based on the detection rule’s output dynamically.
So here is what you can achieve:
Below is the query used in this article:
let TargetKeyVaults = dynamic ( [ "shared-corporate-kv", "azsec-kv" ] ); AzureDiagnostics | where ResourceProvider =~ "MICROSOFT.KEYVAULT" | where Resource in~ (TargetKeyVaults) | project TimeGenerated, OperationName, KeyVaultName = Resource, ResourceGroup, CallerIPAddress
There are several ways to build a custom alert name. In this article we will see what to do with Azure Portal and Azure ARM template.
Azure Portal
From Azure Portal, when creating a new analytics rule, Azure Sentinel allows you to dynamically set alert name based on the query’s result. On “Set rule logic” tab, expand Alert details under Alert enrichment. From here you can include dynamically value of columns from the query’s output. From the sample rule above, I have the following outputs:
- TimeGenerated
- OperationName
- KeyVaultName (map to Resource column)
- ResourceGroup
- CallerIPAdress
With these outputs I can use them to concatenate my alert name as follows:
{{OperationName}} request to {{KeyVaultName}} Key Vault at {{TimeGenerated}}
If you don’t want to limit yourself from using these outputs don’t use project() function.
This feature supports up to 3 outputs as of this article.
Azure ARM Template
You may want to put everything for an analytics rule in an Azure ARM template. In this case, you can define in alertDetailsOverride property. (Refer to line #127)
... "alertDetailsOverride": { "alertDisplayNameFormat": "{{OperationName}} request to {{KeyVaultName}} Key Vault at {{TimeGenerated}}", "alertDescriptionFormat": "{{OperationName}} request to {{KeyVaultName}} Key Vault at {{TimeGenerated}}", ...
Why do we need this feature? It is good for your SOC team to quickly triage when they know that some resources may be used for testing so they can close incidents without investigating.
Pingback: Azure Sentinel Analytics Rule ARM Template -Microsoft Azure Security Randomness