Azure Sentinel: Notifications of New Detection Rules

The CRITICALSTART Cybersecurity Consulting Services for Microsoft Security team is dedicated to helping you maximize the value of your cybersecurity investment. With that in mind, we will be posting periodic blog updates to keep you informed of the latest developments affecting your Microsoft Security solutions.

Today, we will examine the intersection of two key Microsoft Azure Sentinel workstreams for the modern security operations center (SOC):

• Nearly- constant enhancements for data connectors
• Nearly- constant new detection rules

Since Microsoft does not currently provide notifications when a new detection rule is published, security teams must manually monitor new detection rules and connectors.

Our Azure Sentinel automation playbook for new detection rule alerting is designed to streamline this process. The automation is primarily composed of an Azure Logic App that queries the Microsoft Graph Security application protocol interface (API) for new rules published in the last seven days, composes the update, and sends an email notification to your security team.

End Result:

Deploy:

To deploy the template:

1. Download template here.
2. Go to the Microsoft Azure Portal.
3. In the top search bar, type Deploy.
4. Choose “deploy a custom template”.
5. Choose ”Build my own template in the editor”.
6. Upload the JavaScript Object Notation (JSON) file from the GitHub template.
7. Click Save.

1. Select Subscription and the resource group in which the logic app should be deployed.
2. Update Parameters:
   • Sender Email -> Office 365 email account that will be used to send the email
   • Mail List -> Comma separated email addresses of recipients
   • Azure Sentinel Resource Group -> Resource group where Azure Sentinel log analytics workspace is deployed
   • Azure Sentinel Workspace Name -> Azure Sentinel log analytics workspace name where Azure Sentinel is deployed
3. Click Review + Create to deploy the logic app.

You will need to authenticate a connection for the Sender Email account:

1. Navigate to Resource Group where the logic app was deployed.
   The template also creates an API Connection resource which will be given a name like the name you provided for the logic app.

2. Click the API Connection to open its configuration blade.
3.  Select Edit API Connection from the left menu.
4. Click Authorize.

Lastly, you will need to enable Managed Identity for the logic to use for the Microsoft Graph Security API calls.

1. Navigate to the logic app created earlier.
2. From the left menu, select Identity and set the status to ON.
   

3. Once enabled you will be able to assign the new Managed Identity roles.
   

4. Assign Azure Sentinel Contributor role at the resource group level where Azure Sentinel workspace is deployed.

5. Go back to your logic app and click Run.

After the initial run, the logic app will activate every seven days.

You have successfully configured the solution, and your security team should be receiving email notifications every seven days with details of newly published detection rules.

If you have any questions, please email: [email protected].