Microsoft just introduced a new type of analytics rule called near-real-time (NRT). This rule provides the capability to up-to-the-minute detection. It basically means you wouldn’t have to worry about ingestion delay especially the five minutes minimum delay.
This article provides you a sample ARM template to deploy a near-real-time (NRT) analytics rule.
First, Microsoft already provided a documentation here about this new type (https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules)
Let’s use the same example we had in the previous article that you would like to monitor some Key vaults that store sensitive secrets.
let TargetKeyVaults = dynamic ( [ "shared-corporate-kv", "azsec-kv" ] ); AzureDiagnostics | where ResourceProvider =~ "MICROSOFT.KEYVAULT" | where Resource in~ (TargetKeyVaults) | project TimeGenerated, OperationName, KeyVaultName = Resource, ResourceGroup, CallerIPAddress, _ResourceId
The ARM template to create an Azure Sentinel near-real-time analytics rule has several changes:
- The kind is NRT compared with Scheduled for a scheduled analytic rule
- Since this is a near-real-time so queryFrequency, queryPeriod, triggerOperator and triggerThreshold aren’t applicable.
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspaceName": { "type": "string", "defaultValue": "azsec-shared-workspace", "metadata": { "description": "The name of the Log Analytics Workspace Azure Sentinel is connected to." } }, "analyticsRuleId": { "type": "string", "defaultValue": "[newGuid()]", "metadata": { "description": "The name (GUID) of the Azure Sentinel custom analytics rule." } }, "analyticsRuleDisplayName": { "type": "string", "metadata": { "description": "The display name of the Azure Sentinel custom analytics rule." } }, "analyticsRuleDescription": { "type": "string", "metadata": { "description": "The description of the Azure Sentinel custom analytics rule." } }, "analyticsRuleSeverity": { "type": "string", "allowedValues": [ "Informational", "Low", "Medium", "High" ], "metadata": { "description": "The severity of the Azure Sentinel custom analytics rule." } }, "analyticsRuleQuery": { "type": "string", "metadata": { "description": "The query of the Azure Sentinel custom analytics rule." } }, "alertDisplayNameFormat": { "type": "string", "metadata": { "description": "The display name format of the Azure Sentinel custom analytics rule. More information https://azsec.azurewebsites.net/2021/11/01/azure-sentinel-custom-alert-named-based-on-detected-resource/" } }, "analyticsRuleTactics": { "type": "array", "allowedValues": [ "InitialAccess", "PreAttack", "Execution", "Persistence", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "Discovery", "LateralMovement", "Collection", "Exfiltration", "CommandAndControl", "Impact" ], "metadata": { "description": "The tactic of the Azure Sentinel custom analytics rule. " } }, "logicAppResourceId": { "type": "string", "metadata": { "description": "The resource Id of the Logic App you want to connect to the analytics rule" } }, "actionRuleId": { "type": "string", "defaultValue": "15b9235d-46f0-49a6-910c-9d1d3a649899", "metadata": { "description": "The action Rule Id" } } }, "variables": { "alertRuleName": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/', parameters('analyticsRuleId'))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", "name": "[variables('alertRuleName')]", "kind": "NRT", "apiVersion": "2021-09-01-preview", "properties": { "displayName": "[parameters('analyticsRuleDisplayName')]", "description": "[parameters('analyticsRuleDescription')]", "severity": "[parameters('analyticsRuleSeverity')]", "enabled": true, "query": "[parameters('analyticsRuleQuery')]", "suppressionDuration": "PT5H", "suppressionEnabled": false, "tactics": "[parameters('analyticsRuleTactics')]", "alertRuleTemplateName": null, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": false, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "matchingMethod": "AllEntities", "groupByEntities": [], "groupByAlertDetails": [], "groupByCustomDetails": [] } }, "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { "alertDisplayNameFormat": "[parameters('alertDisplayNameFormat')]", "alertDescriptionFormat": "[parameters('alertDisplayNameFormat')]", "alertTacticsColumnName": null, "alertSeverityColumnName": null }, "customDetails": { "TimeGenerated": "TimeGenerated", "KeyVaultName": "KeyVaultName", "ResourceGroup": "ResourceGroup", "CallerIPAddress": "CallerIPAddress" }, "entityMappings": [ { "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "_ResourceId" } ] } ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules/actions", "apiVersion": "2021-09-01-preview", "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/',parameters('analyticsRuleId'),'/actions/',parameters('actionRuleId'))]", "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('analyticsRuleId'), '/',parameters('actionRuleId'))]", "dependsOn": [ "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/', parameters('analyticsRuleId'))]" ], "properties": { "logicAppResourceId": "[parameters('logicAppResourceId')]", "TriggerUri": "[listCallbackURL(concat(parameters('logicAppResourceId')),'2016-06-01').value]" } } ] }
The template above doesn’t only give you rule creation definition but also the Logic App association.
The sample ARM template to create a near-real-time analytics rule in Azure Sentinel is uploaded here