Description add for azurerm_log_analytics_saved_search

bittib010 commented 11 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I would love to see a description update to azurerm_log_analytics_saved_search with an added focus on using it as hunting queries for sentinel. We use it a lot, but currently we only use it as a means of what we have learned on behaviors in sentinel and its backend api. Description for the hunting queries are not a variable present we tried using description withing a tags part, but are then limited to 256 characters. Also, how do we determine the template id from community rules? We tried setting "id" as its key with the belonging guid from the rule but get this error: "Error: Invalid or unknown key".

New or Affected Resource(s)/Data Source(s)

azurerm_log_analytics_saved_search

Potential Terraform Configuration

resource "azurerm_log_analytics_saved_search" "hunt_55c6a4a1-6e39-42e3-955a-2bc70a072f4b" {
  count = alltrue([
    contains(var.active_connectors, "WindowsSecurityEvents"),
    contains(var.active_tables, "SecurityEvent"),
    contains(var.active_connectors, "WindowsForwardedEvents"),
    contains(var.active_tables, "WindowsEvent")
  ]) ? 1 : 0
  name         = "55c6a4a1-6e39-42e3-955a-2bc70a072f4b"
  display_name = "Establishing internal proxies"
  id           = "ce38c16c-a560-46c0-88d6-7757b88f08e9"
  category     = "Hunting Queries"
  tags = {
    "tactics"    = "CommandandControl"
    "techniques" = "T1090",
    "description" : "This hunting query helps to detect attempts to create proxies on compromised systems using the  built-in netsh portproxy command. VoltTyphoon has been seen creating these proxies on compromised hosts to manage command and control communications.",
    "createdTimeUtc" : "10/13/2023 20:21:18",
    "alert_rule_template_version" : "1.0.0"
  }
  query                      = <<QUERY
(union isfuzzy=true 
(SecurityEvent
| where EventID == 4688
| where CommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4", "listenport=50100")
| project TimeGenerated, Computer, Account, Process, ProcessId, NewProcessName, NewProcessId, CommandLine, ParentProcessName, _ResourceId, SourceComputerId, SubjectLogonId, SubjectUserSid
),
(WindowsEvent
| where EventID == 4688 
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4", "listenport=50100")
| extend NewProcessName = tostring(EventData.NewProcessName), NewProcessId = tostring(EventData.NewProcessId)
| extend Process=tostring(split(NewProcessName, '\\')[-1]),  ProcessId = tostring(EventData.ProcessId)
| extend Account =  strcat(EventData.SubjectDomainName,"\\", EventData.SubjectUserName)
| extend ParentProcessName = tostring(EventData.ParentProcessName) 
| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectLogonId = tostring(EventData.SubjectLogonId)
| project TimeGenerated, Computer, Account, Process, ProcessId, NewProcessName, NewProcessId, CommandLine, ParentProcessName, _ResourceId, SubjectUserName, SubjectDomainName, SubjectLogonId
) 
)
| extend Account_0_FullName = Account
| extend Host_0_FullName = Computer
| extend Process_0_ProcessId = Process
    QUERY
  log_analytics_workspace_id = var.log_analytics_workspace_id
}

References

No response

teowa commented 10 months ago

Hi @bittib010 , thanks for submitting this! Currently the resource stores the description in tags, because it doesn't have a description property. Do you mean you need the description more than 150 chars? The 150 chars is the limit of the tags property. You can try split the description into different keys in tags.

As for the id property, it is not user configurable, it is generated after the resource creation, it looks like /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.OperationalInsights/workspaces/workspace1/savedSearches/search1

bittib010 commented 10 months ago

Thank you for replying! So what you are saying is that I have to use tags for the template guid right? Ill try you suggestion on splitting it up. Still I would love to see a focus in the descirption of save searches that deals with the usage of it as hunting ruels in sentinel. Is that doable? :)

bittib010 commented 8 months ago

Is there any update to my request on updating the information to also mention how to use this as hunting queries?

hashicorp / terraform-provider-azurerm