KQL Search

Query Details

HomeAI ToolsDevice Query

Large Number Of Analytics Rules Deleted

Query

# Large Number of Analytics Rules Deleted

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1562.001 | Impair Defenses: Disable or Modify Tools | https://attack.mitre.org/techniques/T1562/001/ |

#### Description
This query can be used to detect when a large number of Sentinel Analytics Rules is deleted in a short timeframe. This could be part of the detection lifecycle, but it could also have been done with malicious intent.

The query uses two input variables, Threshold and TimeFrame. The Threshold determines when the rule should alert, by default this is when more than 25 rules are deleted within the set TimeFrame. The IngestionTime variable is used to calculate from what moment the logs are included.

#### Risk
Someone deletes a large number of Sentinel Analytics rules to evade detections.

## Sentinel
```KQL
let Treshold = 100;
let TimeFrame = 24h;
let IngestionTime = 2*24h;
AzureActivity
| where ingestion_time() > ago(IngestionTime)
| where OperationNameValue =~ "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE"
| where ActivityStatusValue =~ "Success"
| extend RuleId = tostring(parse_path(tostring(parse_json(Properties).entity)).Filename)
| join kind=leftouter (SentinelHealth | where TimeGenerated > ago(7d) | extend RuleId = tostring(ExtendedProperties.RuleId) | summarize arg_max(TimeGenerated, RecordId, SentinelResourceName) by RuleId) on $left.RuleId == $right.RuleId
| summarize TotalDeletedRules = dcount(RuleId), RuleNames = make_set(SentinelResourceName, 100), RuleIds = make_set(RuleId) by ResourceGroup, SubscriptionId, Caller, bin(TimeGenerated, TimeFrame)
| where TotalDeletedRules >= Treshold
```

Explanation

This query is designed to detect when a large number of Sentinel Analytics Rules are deleted within a short period, which could indicate malicious activity aimed at evading detection. Here's a simplified breakdown of how the query works:

  1. Variables Setup:

    • Threshold: Sets the minimum number of rule deletions (default is 100) that will trigger an alert.
    • TimeFrame: Defines the time window (default is 24 hours) within which the deletions are counted.
    • IngestionTime: Specifies the time period (default is 48 hours) from which logs are considered.

  2. Data Source:

    • The query pulls data from AzureActivity, which logs various operations in Azure.

  3. Filtering:

    • It filters the logs to include only those where the operation name indicates a deletion of an analytics rule and the operation was successful.

  4. Data Processing:

    • It extracts the RuleId from the log properties.
    • It joins this data with SentinelHealth logs to get additional information about the rules, such as their names.

  5. Aggregation:

    • It counts the total number of deleted rules and compiles a list of rule names and IDs.
    • This aggregation is done for each combination of resource group, subscription ID, and caller (the person or system that initiated the deletion), within the specified time frame.

  6. Alert Condition:

    • The query checks if the total number of deleted rules meets or exceeds the specified threshold.
    • If so, it indicates a potential risk that someone might be trying to disable defenses by deleting a large number of rules.

In essence, this query helps identify suspicious activity by monitoring for mass deletions of security rules, which could be an attempt to impair defenses.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 2, 2024

Tables

AzureActivitySentinelHealth

Keywords

AzureActivitySentinelAnalyticsRules

Operators

letingestion_time()ago()=~tostring()parse_path()parse_json()joinkind=leftoutersummarizearg_max()dcount()make_set()bin()

Actions