cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL query to detect the disablement and deletion of Automation Rules

KevinHemelrijk
Copper Contributor

‎Oct 19 2023 12:40 AM

‎Oct 19 2023 12:40 AM

KQL query to detect the disablement and deletion of Automation Rules

Hi Community,

 

We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with that table is that is does not specify whether a rule has been ENABLED or DISABLED. As far as we can see, it does not have a unique identifier for disable or enable. Both log outputs are the same:

KevinHemelrijk_1-1697701153506.png

KevinHemelrijk_0-1697701134323.png

 

Does anyone of you have a solution for this problem? 

Thanks in advance :)

Greetings,

Kevin

2,287 Views
0 Likes
6 Replies
Reply
6 Replies
Clive_Watson

‎Oct 19 2023 03:01 AM

‎Oct 19 2023 03:01 AM

Re: KQL query to detect the disablement and deletion of Automation Rules

@KevinHemelrijk 

 

You can use the REST API, search for "Automation Rules - List - REST API (Azure Sentinel)"  The website was down so I couldn't provide a good link.

You'd have to call this in a Playbook and monitor the state change - the api also has the display name of the rule as well as the GUID you see in the Activity logs.  You can then get the Playbook to create an Incident or email you etc...


Example of the api output from "Workspace Usage" workbook: "Regular Checks --> Weekly --> Rules

Clive_Watson_0-1697709521397.png

 

0 Likes
Reply
KevinHemelrijk

‎Oct 19 2023 03:07 AM

‎Oct 19 2023 03:07 AM

Re: KQL query to detect the disablement and deletion of Automation Rules

Hi Clive,

thanks for your answer, we currently are having an issue where the Automation Rule list api request does not give us ALL the automation rules that are inside our sentinel workspace. We contacted Microsoft and they still do not have a solution for this problem. So unfortunately using the API is out of scope for our project. According to your message a KQL query is not possible if I understand correctly?

0 Likes
Reply
LeonPavesic

‎Oct 19 2023 03:08 AM

‎Oct 19 2023 03:08 AM

Re: KQL query to detect the disablement and deletion of Automation Rules

Hi @KevinHemelrijk,

you can use the following KQL query:

 

AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/WRITE"
| where Category == "Write"
| where Action == "Microsoft.Automation/automationRules/disable"
| project ActivityId, OperationName, Category, Action, ResourceId

 

 

This query will return all Azure Activity logs where an Automation Rule has been disabled in Azure Security Insights.

You can combine this query with the one to detect the deletion of Automation Rules to create a single query that will detect both the disablement and deletion of Automation Rules in Azure Security Insights.

 

(AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/WRITE"
| where Category == "Write"
| where Action == "Microsoft.Automation/automationRules/disable"
| project ActivityId, OperationName, Category, Action, ResourceId)
UNION
(AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/DELETE"
| where Category == "Delete"
| project ActivityId, OperationName, Category, Action, ResourceId)

 

 

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

0 Likes
Reply
KevinHemelrijk

‎Oct 19 2023 03:14 AM

‎Oct 19 2023 03:14 AM

Re: KQL query to detect the disablement and deletion of Automation Rules

Hi @LeonPavesic ,

Unfortunatelly the AzureActivity Table does not contain the OperationName and Action table, so this does not work.

0 Likes
Reply
KevinHemelrijk

‎Oct 24 2023 01:44 AM

‎Oct 24 2023 01:44 AM

Re: KQL query to detect the disablement and deletion of Automation Rules

Hi @Clive_Watson ,
thanks for letting us know, it is indeed a shame that Microsoft makes something deprecated and at the same time making it worse. I hope they will release an updated table in the future.
0 Likes
Reply