Oct 19 2023 12:40 AM
Hi Community,
We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with that table is that is does not specify whether a rule has been ENABLED or DISABLED. As far as we can see, it does not have a unique identifier for disable or enable. Both log outputs are the same:
Does anyone of you have a solution for this problem?
Thanks in advance :)
Greetings,
Kevin
Oct 19 2023 03:01 AM
You can use the REST API, search for "Automation Rules - List - REST API (Azure Sentinel)" The website was down so I couldn't provide a good link.
You'd have to call this in a Playbook and monitor the state change - the api also has the display name of the rule as well as the GUID you see in the Activity logs. You can then get the Playbook to create an Incident or email you etc...
Example of the api output from "Workspace Usage" workbook: "Regular Checks --> Weekly --> Rules
Oct 19 2023 03:07 AM
Oct 19 2023 03:08 AM
Hi @KevinHemelrijk,
you can use the following KQL query:
AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/WRITE"
| where Category == "Write"
| where Action == "Microsoft.Automation/automationRules/disable"
| project ActivityId, OperationName, Category, Action, ResourceId
This query will return all Azure Activity logs where an Automation Rule has been disabled in Azure Security Insights.
You can combine this query with the one to detect the deletion of Automation Rules to create a single query that will detect both the disablement and deletion of Automation Rules in Azure Security Insights.
(AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/WRITE"
| where Category == "Write"
| where Action == "Microsoft.Automation/automationRules/disable"
| project ActivityId, OperationName, Category, Action, ResourceId)
UNION
(AzureActivity
| where OperationName == "MICROSOFT SECURITYINSIGHTS/AUTOMATIONRULES/DELETE"
| where Category == "Delete"
| project ActivityId, OperationName, Category, Action, ResourceId)
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Oct 19 2023 03:14 AM
Oct 19 2023 03:24 AM
Oct 24 2023 01:44 AM