Microsoft just introduced a new type of analytics rule called near-real-time (NRT). This rule provides the capability to up-to-the-minute detection. It basically means you wouldn’t have to worry about ingestion delay especially the five minutes minimum delay.
This article provides you a sample ARM template to deploy a near-real-time (NRT) analytics rule.
First, Microsoft already provided a documentation here about this new type (https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules)
Let’s use the same example we had in the previous article that you would like to monitor some Key vaults that store sensitive secrets.
let TargetKeyVaults = dynamic (
[
"shared-corporate-kv",
"azsec-kv"
]
);
AzureDiagnostics
| where ResourceProvider =~ "MICROSOFT.KEYVAULT"
| where Resource in~ (TargetKeyVaults)
| project TimeGenerated,
OperationName,
KeyVaultName = Resource,
ResourceGroup,
CallerIPAddress,
_ResourceId
The ARM template to create an Azure Sentinel near-real-time analytics rule has several changes:
- The kind is NRT compared with Scheduled for a scheduled analytic rule
- Since this is a near-real-time so queryFrequency, queryPeriod, triggerOperator and triggerThreshold aren’t applicable.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string",
"defaultValue": "azsec-shared-workspace",
"metadata": {
"description": "The name of the Log Analytics Workspace Azure Sentinel is connected to."
}
},
"analyticsRuleId": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "The name (GUID) of the Azure Sentinel custom analytics rule."
}
},
"analyticsRuleDisplayName": {
"type": "string",
"metadata": {
"description": "The display name of the Azure Sentinel custom analytics rule."
}
},
"analyticsRuleDescription": {
"type": "string",
"metadata": {
"description": "The description of the Azure Sentinel custom analytics rule."
}
},
"analyticsRuleSeverity": {
"type": "string",
"allowedValues": [
"Informational",
"Low",
"Medium",
"High"
],
"metadata": {
"description": "The severity of the Azure Sentinel custom analytics rule."
}
},
"analyticsRuleQuery": {
"type": "string",
"metadata": {
"description": "The query of the Azure Sentinel custom analytics rule."
}
},
"alertDisplayNameFormat": {
"type": "string",
"metadata": {
"description": "The display name format of the Azure Sentinel custom analytics rule. More information https://azsec.azurewebsites.net/2021/11/01/azure-sentinel-custom-alert-named-based-on-detected-resource/"
}
},
"analyticsRuleTactics": {
"type": "array",
"allowedValues": [
"InitialAccess",
"PreAttack",
"Execution",
"Persistence",
"PrivilegeEscalation",
"DefenseEvasion",
"CredentialAccess",
"Discovery",
"LateralMovement",
"Collection",
"Exfiltration",
"CommandAndControl",
"Impact"
],
"metadata": {
"description": "The tactic of the Azure Sentinel custom analytics rule. "
}
},
"logicAppResourceId": {
"type": "string",
"metadata": {
"description": "The resource Id of the Logic App you want to connect to the analytics rule"
}
},
"actionRuleId": {
"type": "string",
"defaultValue": "15b9235d-46f0-49a6-910c-9d1d3a649899",
"metadata": {
"description": "The action Rule Id"
}
}
},
"variables": {
"alertRuleName": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/', parameters('analyticsRuleId'))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[variables('alertRuleName')]",
"kind": "NRT",
"apiVersion": "2021-09-01-preview",
"properties": {
"displayName": "[parameters('analyticsRuleDisplayName')]",
"description": "[parameters('analyticsRuleDescription')]",
"severity": "[parameters('analyticsRuleSeverity')]",
"enabled": true,
"query": "[parameters('analyticsRuleQuery')]",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": "[parameters('analyticsRuleTactics')]",
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "[parameters('alertDisplayNameFormat')]",
"alertDescriptionFormat": "[parameters('alertDisplayNameFormat')]",
"alertTacticsColumnName": null,
"alertSeverityColumnName": null
},
"customDetails": {
"TimeGenerated": "TimeGenerated",
"KeyVaultName": "KeyVaultName",
"ResourceGroup": "ResourceGroup",
"CallerIPAddress": "CallerIPAddress"
},
"entityMappings": [
{
"entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "_ResourceId"
}
]
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules/actions",
"apiVersion": "2021-09-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/',parameters('analyticsRuleId'),'/actions/',parameters('actionRuleId'))]",
"name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('analyticsRuleId'), '/',parameters('actionRuleId'))]",
"dependsOn": [
"[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspaceName'), 'Microsoft.SecurityInsights'),'/alertRules/', parameters('analyticsRuleId'))]"
],
"properties": {
"logicAppResourceId": "[parameters('logicAppResourceId')]",
"TriggerUri": "[listCallbackURL(concat(parameters('logicAppResourceId')),'2016-06-01').value]"
}
}
]
}
The template above doesn’t only give you rule creation definition but also the Logic App association.
The sample ARM template to create a near-real-time analytics rule in Azure Sentinel is uploaded here