search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.19k stars 3.8k forks source link

Version Information for Sentinel Analytics not Available When Using Az.SecurityInsights Module #18859

Open JAK-Insight opened 2 years ago

JAK-Insight commented 2 years ago

Description

Microsoft recently (last 6 months) started versioning analytic rule templates, in an effort to provide updates to the rules when available. This attribute is not visible to the powershell module Az.SecurityInsights. Viewing the version is not possible, and deployed rules with the module omit this attribute. This breaks the newly introduced functionality in Sentinel to streamline analytic rule template updates (since the version is not available Sentinel doesn't know it needs to be updated).

Issue script & Debug output

AlertRuleTemplateName : 52aec824-96c1-4a03-8e44-bb70532e6cea
DisplayName           : AdminSDHolder Modifications
Description           : This query detects modification in the AdminSDHolder  in the Active Directory which could
                        indicate an attempt for persistence.
                        AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp
                        process in Active Directory to establish a persistent backdoor to Active Directory.
                        This query searches for the event id 5136 where the Object DN is AdminSDHolder.
                        Ref: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence
Enabled               : True
LastModifiedUtc       : 7/1/2022 6:12:54 PM
Query                 : SecurityEvent
                        | where EventID == 5136 and EventData contains "<Data
                        Name=\"ObjectDN\">CN=AdminSDHolder,CN=System"
                        | parse EventData with * 'ObjectDN">' ObjectDN "<" *
                        | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer,
                        SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN
QueryFrequency        : 01:00:00
QueryPeriod           : 01:00:00
Severity              : High
SuppressionDuration   : 05:00:00
SuppressionEnabled    : False
TriggerOperator       : GreaterThan
TriggerThreshold      : 0
Tactics               : {Persistence}
Id                    : /subscriptions/79516b6b-b92e-485a-a6d8-4466dd0d891e/resourceGroups/rg-sentinel-01/providers/Mic
                        rosoft.OperationalInsights/workspaces/microsoftsentinel/providers/Microsoft.SecurityInsights/al
                        ertRules/a0e41c98-e124-4ddd-abd0-c50694dca034
Name                  : a0e41c98-e124-4ddd-abd0-c50694dca034
Type                  : Microsoft.SecurityInsights/alertRules
Etag                  : "4100adfd-0000-0100-0000-62bf39260000"
Kind                  : Scheduled

Environment data

C:\Epic\Sentinel-Analytics\github> $psversiontable

Name                           Value
----                           -----
PSVersion                      7.1.3
PSEdition                      Core
GitCommitId                    7.1.3
OS                             Microsoft Windows 10.0.19043
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

C:\Epic\Sentinel-Analytics\github> get-module az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.8.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     4.13.0                Az.Compute                          {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAddition…
Script     3.1.0                 Az.OperationalInsights              {Disable-AzOperationalInsightsIISLogCollection, D…
Script     1.0.0                 Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlertRule…
Script     0.6.21                AzSentinel                          {Add-AzSentinelIncidentComment, Disable-AzSentine…

C:\Epic\Sentinel-Analytics\github>

Error output

No response

ghost commented 2 years ago

Thank you for your feedback. This has been routed to the support team for assistance.

dingmeng-xue commented 2 years ago

Involve CXP team to look into it.