Microsoft recently (last 6 months) started versioning analytic rule templates, in an effort to provide updates to the rules when available. This attribute is not visible to the powershell module Az.SecurityInsights. Viewing the version is not possible, and deployed rules with the module omit this attribute. This breaks the newly introduced functionality in Sentinel to streamline analytic rule template updates (since the version is not available Sentinel doesn't know it needs to be updated).
Issue script & Debug output
AlertRuleTemplateName : 52aec824-96c1-4a03-8e44-bb70532e6cea
DisplayName : AdminSDHolder Modifications
Description : This query detects modification in the AdminSDHolder in the Active Directory which could
indicate an attempt for persistence.
AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp
process in Active Directory to establish a persistent backdoor to Active Directory.
This query searches for the event id 5136 where the Object DN is AdminSDHolder.
Ref: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence
Enabled : True
LastModifiedUtc : 7/1/2022 6:12:54 PM
Query : SecurityEvent
| where EventID == 5136 and EventData contains "<Data
Name=\"ObjectDN\">CN=AdminSDHolder,CN=System"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer,
SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN
QueryFrequency : 01:00:00
QueryPeriod : 01:00:00
Severity : High
SuppressionDuration : 05:00:00
SuppressionEnabled : False
TriggerOperator : GreaterThan
TriggerThreshold : 0
Tactics : {Persistence}
Id : /subscriptions/79516b6b-b92e-485a-a6d8-4466dd0d891e/resourceGroups/rg-sentinel-01/providers/Mic
rosoft.OperationalInsights/workspaces/microsoftsentinel/providers/Microsoft.SecurityInsights/al
ertRules/a0e41c98-e124-4ddd-abd0-c50694dca034
Name : a0e41c98-e124-4ddd-abd0-c50694dca034
Type : Microsoft.SecurityInsights/alertRules
Etag : "4100adfd-0000-0100-0000-62bf39260000"
Kind : Scheduled
Environment data
C:\Epic\Sentinel-Analytics\github> $psversiontable
Name Value
---- -----
PSVersion 7.1.3
PSEdition Core
GitCommitId 7.1.3
OS Microsoft Windows 10.0.19043
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Description
Microsoft recently (last 6 months) started versioning analytic rule templates, in an effort to provide updates to the rules when available. This attribute is not visible to the powershell module Az.SecurityInsights. Viewing the version is not possible, and deployed rules with the module omit this attribute. This breaks the newly introduced functionality in Sentinel to streamline analytic rule template updates (since the version is not available Sentinel doesn't know it needs to be updated).
Issue script & Debug output
Environment data
Module versions
Error output
No response