Working with Analytics rules Part 2 – The rules

Introduction

So far in this series, we have looked at the Rule templates.  Now we will look at the Analytics rules that we are currently using.

Listing all the Analytic Rules

Much like looking at the Analytic rule templates, we can make a REST call to look at all the rules we are using. The URL we use will be slightly different and will look like the one below.

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertrules?api-version=2019-01-01-preview

making all the needed replacements for {subscriptionId}, {resourceGroupName}, and {workspaceName}. So rather than looking at the alertruletemplates, we are looking at the alert rules.

If you run this, you will get a listing You can still use the same PowerShell call as before to get the information, namely:

ConvertTo-Json(Invoke-RestMethod -Method "Get" -Uri $url2 -Headers $authHeader )

and you will get a listing of return values like this one (obviously a lot of the actual values will be different and I hide some of the values):

{
      "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-sentinel-beta/providers/Microsoft.OperationalInsights/workspaces/la-sentinel-beta/providers/Microsoft.SecurityInsights/alertRules/05f7f0f4-3036-4350-ac11-f5e48054a727",
      "name": "05f7f0f4-3036-4350-ac11-f5e48054a727",
      "etag": "\"2e0045da-0000-0100-0000-5e1b72720000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "MicrosoftSecurityIncidentCreation",
      "properties": {
        "productFilter": "Azure Active Directory Identity Protection",
        "severitiesFilter": null,
        "displayNamesFilter": null,
        "displayNamesExcludeFilter": null,
        "displayName": "Gary AD Test",
        "enabled": true,
        "description": null,
        "tactics": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2020-01-12T19:24:34.6478717Z"
      }
    }

The main thing to notice here is the name field is the GUID for the Analytic rule, in this case it is “05f7f0f4-3036-4350-ac11-f5e48054a727”, which is the same GUID that is listed at the end of the id field, which incidentally is the URL you can call to get the individual Analytic rule’s information.

Listing a Specific Rule

As was just stated, if you know the ID of a specific Analytic Rule, you can use that to get information for just that rule.  The URL will be the same as we used above, the only difference being that the name of the rule will be added to it.  Take a look at the id field from the call above, copied below.  Notice the GUID at the end.  

/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-sentinel-beta/providers/Microsoft.OperationalInsights/workspaces/la-sentinel-beta/providers/Microsoft.SecurityInsights/alertRules/05f7f0f4-3036-4350-ac11-f5e48054a727

It is missing the API version and, of course, the actual server to call but once we fix that we get 

https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-sentinel-beta/providers/Microsoft.OperationalInsights/workspaces/la-sentinel-beta/providers/Microsoft.SecurityInsights/alertRules/05f7f0f4-3036-4350-ac11-f5e48054a727?api-version=2019-01-01-preview

Now when we make our typical Invoke-RestMethod call, we get the exact same result as posted above but that is the only result returned. 

Listing the Actions of a Specific Rule

We can continue to expand the URL to get even more information regarding the Analytic rule, namely the Action (AKA Playbooks AKA Logic Apps) associated with the rule.  The command is actions but since we can only assign one Playbook to a rule, maybe there are plans in the future to allow multiple Playbooks (or it could be that it is named that way just to keep in line with the naming conventions but one can hope).

To get a listing of all all the actions assigned to a rule, add the word actions after the rule ID and before the ?api part as shown below

https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-sentinel-beta/providers/Microsoft.OperationalInsights/workspaces/la-sentinel-beta/providers/Microsoft.SecurityInsights/alertRules/05f7f0f4-3036-4350-ac11-f5e48054a727/actions?api-version=2019-01-01-preview

Then, when you make the ever present PowerShell call, you will get a return value like:

{ 
  "value": [  
    {   
      "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-sentinel-beta/providers/Microsoft.OperationalInsights/workspaces/la-sentinel-beta/providers/Microsoft.SecurityInsights/alertrules/asicustomalertsv3_26af4f5c-e1b4-4c0d-8fbb-42bf0cb711f4/actions/dc6fa724-b3d5-41ce-9697-56cb33b8e1ce",
      "name": "dc6fa724-b3d5-41ce-9697-56cb33b8e1ce",  
      "etag": "\"1300b60b-0000-0300-0000-5e11b4870000\"",  
      "type": "Microsoft.SecurityInsights/alertrules/actions",   
      "properties": {    
        "workflowId": "813711a2b51d4ae7959eeb22113b014f",    
        "logicAppResourceId": null   
      }  
    } 
  ]
}

You can also access a specific action by add a “/”  and the action ID after actions and before ?api

Conclusion

In this post you saw how to get a listing of the Analytic rules that you are using as well as any action that is assigned to it.   In the next post we will create a new rule.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.