search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.59k stars 3.01k forks source link

Missing scheduled alert rules templates for WAF Application Gateway via API #9783

Closed jakubramut closed 8 months ago

jakubramut commented 9 months ago

Describe the bug When I try to get Sentinel's scheduled analytics rule templates related to Application Gateway (WAF) via API I receive 404 error.

API call via powershell:

Invoke-AzRestMethod -Uri 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/workspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/4c15a386-c5cf-48fc-9fa5-38a5936f7918?api-version=2023-02-01-preview'

response:

{"error":{"code":"NotFound","message":"analytics rule template not found. 
             template Id: 4c15a386-c5cf-48fc-9fa5-38a5936f7918"}}

It ends up with similar errors when I try to execute below code via az_api terraform provider:

locals {
  scheduled_rule_template_ids = [
    "31669396-6c72-4b98-bee3-e66741e020de", //App GW WAF - Path Traversal Attack
    "4c15a386-c5cf-48fc-9fa5-38a5936f7918", //App Gateway WAF - Scanner Detection
    "f3425a6c-989b-4118-903b-aa9daf3cfd09" //App GW WAF - Code Injection
  ]
}

data "azapi_resource" "scheduled_rule_template_api_by_display_name" {
  for_each               = toset(local.scheduled_rule_template_names)
  type                   = "Microsoft.SecurityInsights/alertRuleTemplates@2023-02-01-preview"
  parent_id              = data.azurerm_log_analytics_workspace.sentinel_law.id
  name                   = data.azurerm_sentinel_alert_rule_template.template_rules_by_display_name[each.key].name
  response_export_values = ["*"]
}

exception:

{
│   "error": {
│     "code": "NotFound",
│     "message": "analytics rule template not found. template Id: 4c15a386-c5cf-48fc-9fa5-38a5936f7918"
│   }
│ }

Tried to get all available rules via powershell:

Get-AzSentinelAlertRuleTemplate -ResourceGroupName "xxx" -workspaceName "workspace" | ConvertTo-Json

And I cannot find expected rule templates, set of missing rule templates:

Worth to mention that some rules related Azure Front Door exist but not all of them. From Azure Portal blade (UI) it's possible to choose and create all of rules from Azure Web Application Firewall data source.

To Reproduce Try to execute powershell command to get all sentinel's analytics scheduled rule templates.

Expected behavior Application Gateway related alert rule templates are accessible via API.

github-actions[bot] commented 9 months ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

v-sudkharat commented 9 months ago

Hi @jakubramut, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 24-01-2024. Thanks!

v-muuppugund commented 9 months ago

Hi @jakubramut , need some time still working on replicating the issue,Will update you.

ShachafGoldstein commented 9 months ago

Can add 2 more that are available in the portal but not with cli

alertRuleTemplateName displayName
3617d76d-b15e-4c6f-985e-a1dac73c592d NRT MFA Rejected by User
0a627f29-f0dd-4924-be92-c3d6dac84367 Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups
jakubramut commented 9 months ago

Thank you @v-sudkharat and @v-muuppugund, looking forward your answer.

v-muuppugund commented 9 months ago

Hi @jakubramut ,I am able to repo this issue, Please find below screenshots for reference

executed the script for scheduled analytic rules got this response image

Cross checked in the work space missing few

image

So will be investigating further for the missing analytic rules and will update you.

v-muuppugund commented 9 months ago

Hi @jakubramut ,I need some more time for detailed analysis actually i noticed on further analysis there are so many analytic rules api is returning which are not part of my work space given in the command,so checking all my work spaces,please find below screen shot for reference Work space given with scheduled alterts are image

image

image image image image image image image image image

v-muuppugund commented 9 months ago

Hi @jakubramut ,The alerts are coming as per alert rule templates for example please find below alter rule templates 1.: /subscriptions/419581d6-4853-49bd-83b6-d94bb8 a77887/resourceGroups/v-muuppugund/providers/ Microsoft.OperationalInsights/workspaces/sent inelworkspace/providers/Microsoft.SecurityIns ights/AlertRuleTemplates/70fc7201-f28e-4ba7-b 9ea-c04b96701f13 Kind : NRT

2.DisplayName : NRT New access credential added to Application or Service Principal EntityMapping : {Microsoft.Azure.PowerShell.Cmdlets.SecurityI nsights.Models.Api20210901Preview.EntityMappi ng, Microsoft.Azure.PowerShell.Cmdlets.Securi tyInsights.Models.Api20210901Preview.EntityMa pping} Id : /subscriptions/419581d6-4853-49bd-83b6-d94bb8 a77887/resourceGroups/v-muuppugund/providers/ Microsoft.OperationalInsights/workspaces/sent inelworkspace/providers/Microsoft.SecurityIns ights/AlertRuleTemplates/e42e889a-caaf-4dbb-a ec6-371b37d64298 Kind : NRT 3.DisplayName : NRT Login to AWS Management Console without MFA EntityMapping : {Microsoft.Azure.PowerShell.Cmdlets.SecurityI nsights.Models.Api20210901Preview.EntityMappi ng, Microsoft.Azure.PowerShell.Cmdlets.Securi tyInsights.Models.Api20210901Preview.EntityMa pping} Id : /subscriptions/419581d6-4853-49bd-83b6-d94bb8 a77887/resourceGroups/v-muuppugund/providers/ Microsoft.OperationalInsights/workspaces/sent inelworkspace/providers/Microsoft.SecurityIns ights/AlertRuleTemplates/0ee2aafb-4500-4e36-b cb1-e90eec2f0b9b Kind : NRT

Could you please check confirm and have verified few alerts and verfiying all my solutions in work space and mean while if needed share couple of time slots to (v-muuppugund@microsoft.com) we can have a team's call and discuss in detail on this issue.

v-sudkharat commented 8 months ago

Hi @ShachafGoldstein, Coud you please have a look at above comment and share response with us. Thanks!

jakubramut commented 8 months ago

Hello @v-sudkharat, I rerun my tests and still don't see any templates related to my rules:

req: Invoke-AzRestMethod -Uri 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/workspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/4c15a386-c5cf-48fc-9fa5-38a5936f7918?api-version=2023-02-01-preview'

resp: Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [Server, System.String[]], [x-ms-ratelimit-remaining-subscription-reads, System.String[]]…} Version : 1.1 StatusCode : 404 Method : GET Content : {"error":{"code":"NotFound","message":"analytics rule template not found. template Id: 4c15a386-c5cf-48fc-9fa5-38a5936f7918"}}

When I invoke the same method for one of the templates from your last response I can see value: req: Invoke-AzRestMethod -Uri 'https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/workspace/providers/Microsoft.SecurityInsights/alertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13/?api-version=2023-02-01-preview' resp: Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [Server, System.String[]], [x-ms-ratelimit-remaining-subscription-reads, System.String[]]…} Version : 1.1 StatusCode : 200 Method : GET Content : {deleted_for_visibility}

However, I didn't test this rule before so cannot say that it was fixed by you. Also verified one of the rules mentioned by @ShachafGoldstein, and similar response as for mine (404): Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [Server, System.String[]], [x-ms-ratelimit-remaining-subscription-reads, System.String[]]…} Version : 1.1 StatusCode : 404 Method : GET Content : {"error":{"code":"NotFound","message":"analytics rule template not found. template Id: 3617d76d-b15e-4c6f-985e-a1dac73c592d"}}

So I'm assuming nothing has been changed in terms of the rules requested by us. Please add rules that I/we added as a reason of this issue.

v-muuppugund commented 8 months ago

Hi @jakubramut ,Noted,will cross verify the rule templates from my end and update you if needed we can have a teams meeting.

v-muuppugund commented 8 months ago

Hi @jakubramut ,Could you please share couple of time slots for teams meeting on this issue for further troubleshooting having some queries to v-muuppugund@microsoft.com

v-muuppugund commented 8 months ago

Hi @jakubramut ,Gentle Reminder,,Could you please share couple of time slots for teams meeting on this issue for further troubleshooting having some queries to v-muuppugund@microsoft.com

v-muuppugund commented 8 months ago

Hi @jakubramut ,Since we have not received a response in the last 5 days, we are closing your issue (https://github.com/Azure/Azure-Sentinel/issues/9783) as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation!