cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to determine where an alert rule comes from?

DGMalcolm
Iron Contributor

‎Nov 20 2023 12:40 PM

‎Nov 20 2023 12:40 PM

How to determine where an alert rule comes from?

Okay, I'm getting incidents with the description "Sign-in from an atypical location based on the user's recent sign-ins". In the incident, I can see that the Analytics rule is "Create incidents based on Azure Active Directory Identity Protection". I then went to Analytics where I can see the rule under "Active rules" and it's listed twice - once as Gallery Content and once as Custom Content. But I can't tell how either of these rules got into Sentinel. Is there a way to track where they came from? Especially the one labelled "Gallery content" seems like I should be able to tell the content source or find it in the Content Hub.

TIA

~dgm~

Labels:
949 Views
0 Likes
3 Replies
Reply
3 Replies
Rod_Trent

‎Nov 20 2023 01:34 PM

‎Nov 20 2023 01:34 PM

Re: How to determine where an alert rule comes from?

You should be able to click on the link for Analytics Rule in the info pane. This will take you directly to the Analytics Rule that generated the Incident.

 

clickhere.png

0 Likes
Reply
DGMalcolm

‎Nov 20 2023 02:05 PM

‎Nov 20 2023 02:05 PM

Re: How to determine where an alert rule comes from?

@Rod_Trent 

Yes, it takes me to the rule but I want to know where the rule came from - which content from the Content Hub included that rule such that it ended up imported into this environment. Unlike most of the other Analytics Rules, this one only shows on the 'Active rules' tab, not on the "Rule templates" tab. What I want to do is end up with this rule (and maybe any associated conent) imported into a Sentinel test environment.

0 Likes
Reply
Clive_Watson

‎Nov 21 2023 01:45 AM

‎Nov 21 2023 01:45 AM

Re: How to determine where an alert rule comes from?

In Rod's screen shot you can see that the Alert has come from Microsoft Defender for Cloud (and Azure Security Center, which is the legacy name for that product).
Rules from other products like Defender for Cloud or Defender for Endpoint are not stored in Microsoft Sentinel - the product Source column is useful in this situation (if its not Microsoft Sentinel then you typically wont see the rule template).

You are getting these Alerts because you enabled an individual Defender connector or the Microsoft 365 Defender connector. The rules called "Create incidents based on ..." are not used by the Microsoft 365 Defender connector.
0 Likes
Reply