Azure Sentinel near-real-time (NRT) Analytics Rule ARM Template

Microsoft just introduced a new type of analytics rule called near-real-time (NRT). This rule provides the capability to up-to-the-minute detection. It basically means you wouldn’t have to worry about ingestion delay especially the five minutes minimum delay.

This article provides you a sample ARM template to deploy a near-real-time (NRT) analytics rule.

First, Microsoft already provided a documentation here about this new type (https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules)

Azure Sentinel Analytics Rule ARM Template

Let’s use the same example we had in the previous article that you would like to monitor some Key vaults that store sensitive secrets.

let TargetKeyVaults = dynamic (
  [
    "shared-corporate-kv",
    "azsec-kv"
  ]
);
AzureDiagnostics
| where ResourceProvider =~ "MICROSOFT.KEYVAULT"
| where Resource in~ (TargetKeyVaults)
| project TimeGenerated,
          OperationName,
          KeyVaultName = Resource,
          ResourceGroup,
          CallerIPAddress,
           _ResourceId

The ARM template to create an Azure Sentinel near-real-time analytics rule has several changes:

  • The kind is NRT compared with Scheduled for a scheduled analytic rule
  • Since this is a near-real-time so queryFrequency, queryPeriod, triggerOperator and triggerThreshold aren’t applicable.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "defaultValue": "azsec-shared-workspace",
      "metadata": {
        "description": "The name of the Log Analytics Workspace Azure Sentinel is connected to."
      }
    },
    "analyticsRuleId": {
      "type": "string",
      "defaultValue": "[newGuid()]",
      "metadata": {
        "description": "The name (GUID) of the Azure Sentinel custom analytics rule."
      }
    },
    "analyticsRuleDisplayName": {
      "type": "string",
      "metadata": {
        "description": "The display name of the Azure Sentinel custom analytics rule."
      }
    },
    "analyticsRuleDescription": {
      "type": "string",
      "metadata": {
        "description": "The description of the Azure Sentinel custom analytics rule."
      }
    },
    "analyticsRuleSeverity": {
      "type": "string",
      "allowedValues": [
        "Informational",
        "Low",
        "Medium",
        "High"
      ],
      "metadata": {
        "description": "The severity of the Azure Sentinel custom analytics rule."
      }
    },
    "analyticsRuleQuery": {
      "type": "string",
      "metadata": {
        "description": "The query of the Azure Sentinel custom analytics rule."
      }
    },
    "alertDisplayNameFormat": {
      "type": "string",
      "metadata": {
        "description": "The display name format of the Azure Sentinel custom analytics rule. More information https://azsec.azurewebsites.net/2021/11/01/azure-sentinel-custom-alert-named-based-on-detected-resource/"
      }
    },
    "analyticsRuleTactics": {
      "type": "array",
      "allowedValues": [
        "InitialAccess",
        "PreAttack",
        "Execution",
        "Persistence",
        "PrivilegeEscalation",
        "DefenseEvasion",
        "CredentialAccess",
        "Discovery",
        "LateralMovement",
        "Collection",
        "Exfiltration",
        "CommandAndControl",
        "Impact"
      ],
      "metadata": {
        "description": "The tactic of the Azure Sentinel custom analytics rule. "
      }
    },
    "logicAppResourceId": {
      "type": "string",
      "metadata": {
        "description": "The resource Id of the Logic App you want to connect to the analytics rule"
      }
    },
    "actionRuleId": {
      "type": "string",
      "defaultValue": "15b9235d-46f0-49a6-910c-9d1d3a649899",
      "metadata": {
        "description": "The action Rule Id"
      }
    }
  },
  "variables": {
    "alertRuleName": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/', parameters('analyticsRuleId'))]"
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "name": "[variables('alertRuleName')]",
      "kind": "NRT",
      "apiVersion": "2021-09-01-preview",
      "properties": {
        "displayName": "[parameters('analyticsRuleDisplayName')]",
        "description": "[parameters('analyticsRuleDescription')]",
        "severity": "[parameters('analyticsRuleSeverity')]",
        "enabled": true,
        "query": "[parameters('analyticsRuleQuery')]",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": "[parameters('analyticsRuleTactics')]",
        "alertRuleTemplateName": null,
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "groupByEntities": [],
            "groupByAlertDetails": [],
            "groupByCustomDetails": []
          }
        },
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "[parameters('alertDisplayNameFormat')]",
          "alertDescriptionFormat": "[parameters('alertDisplayNameFormat')]",
          "alertTacticsColumnName": null,
          "alertSeverityColumnName": null
        },
        "customDetails": {
          "TimeGenerated": "TimeGenerated",
          "KeyVaultName": "KeyVaultName",
          "ResourceGroup": "ResourceGroup",
          "CallerIPAddress": "CallerIPAddress"
        },
        "entityMappings": [
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "identifier": "ResourceId",
                "columnName": "_ResourceId"
              }
            ]
          }
        ]
      }
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules/actions",
      "apiVersion": "2021-09-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/',parameters('analyticsRuleId'),'/actions/',parameters('actionRuleId'))]",
      "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('analyticsRuleId'), '/',parameters('actionRuleId'))]",
      "dependsOn": [
        "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/', parameters('analyticsRuleId'))]"
      ],
      "properties": {
        "logicAppResourceId": "[parameters('logicAppResourceId')]",
        "TriggerUri": "[listCallbackURL(concat(parameters('logicAppResourceId')),'2016-06-01').value]"
      }
    }
  ]
}

The template above doesn’t only give you rule creation definition but also the Logic App association.

The sample ARM template to create a near-real-time analytics rule in Azure Sentinel is uploaded here

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *