Azure Sentinel: Using rule templates

Microsoft's Azure Sentinel, our Security Incident and Event Management (SIEM) solution, enables you to connect activity data from different sources into a shared workspace. That data ingestion is just the first step in the process though. The power comes from what you can now do with that data, including investigating incident alerts, building your own dashboards with workbooks, responding to threats with security playbooks and hunting for security threats.

Let's take a look at some of the built-in rule templates that you can activate, to query and alert on that data.

Built-in rule templates
Your active rules and the list of available rule templates can be found in Azure Sentinel under ConfigurationAnalytics:

Azure Sentinel Analytics menuAzure Sentinel Analytics menu

The rule templates are published by Microsoft and are updated and added to as new events and threats are detected, classified as low, medium or high severity. There are currently just under 200 rule templates covering 38 different data sources, both from Microsoft and third parties.

Some of the rule templates in Azure SentinelSome of the rule templates in Azure Sentinel


There are rule templates to create incidents in Azure Sentinel based on alerts from Azure , Office 365 Advanced (Preview) and Microsoft Advanced Threat Protection. This helps you build one place to manage and investigate threats across different Microsoft products.

There are individual rules for Microsoft and non-Microsoft products:

High First access credential added to Application or Service Principal where no credential was present Azure
Medium Rare application consent  Azure
Medium Full Admin policy created and then attached to Roles, Users or Groups Amazon Web Services
Low Changes to AWS Security Group ingress and egress settings Amazon Web Services
Medium Known Malware Detected VMWare Carbon Black Endpoint Standard (preview)
Medium Port scan detected Sophos XG Firewall (preview)
Medium New internet-exposed SSH endpoints Syslog
Low Request for single resource on domain Zscaler

There are also rules that combine more than one product, linking events that could indicate a possible incident: 

High Anomalous login followed by Teams action Office 365 + Azure
High Multiple password reset by user Azure Active Directory + Security Events + Syslog + Office 365

And there are rules that detect a known threat from different data sources:

High Known IRIDIUM IP Office 365, DNS (preview), Cisco ASA, Palo Alto Networks, Security Events, Azure Active Directory, Azure Activity, Amazon Web Services
High THALLIUM domains included in DCU takedown DNS (preview), Cisco ASA, Palo Alto Networks

Anatomy of a rule template
As well as a severity and a list of the data source/s for this rule, a description tells you why this rule is important and may give you links to other relevant information.

Azure Sentinel rule template descriptionAzure Sentinel rule template description

The rule type can be:
Microsoft Security – these rules automatically create Azure Sentinel incidents from alerts generated in other Microsoft security products, in real time.
Scheduled – these run periodically based on the settings you configure and allow you to alter the query logic.
ML Behaviour Analytics – these are based on proprietary Microsoft algorithms, so you can't see of change the query logic.
Fusion – this detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default. For more information on Fusion incident types, visit Advanced multistage attack detection in Azure Sentinel. 

The tactics icons show what kind of threat this rule is related to:
Credential access, command and control, initial access, impact, defence evasion, collection, persistence, lateral movement, privilege escalation.

You can also see the details of the rule query, written in Kusto Query Language (KQL).

Azure Sentinel-Rule query.PNG

Scheduled rules have a frequency, a rule period and a rule threshold, and may allow event grouping, suppression, the creation of incidents from this alert and alert grouping.

Rule template settings for a scheduled ruleRule template settings for a scheduled rule

Creating a rule from a rule template
To turn a rule template into an active rule for your environment, you just select the Create rule button. With the wizard, you can then customize any rule settings or the rule logic itself (if appropriate) and you will be warned if you don't have the required data sources connected.

Choosing your rules

Azure Sentinel gives you a very powerful security capability, but it's up to you to decide apply it to your organization. The built-in rule templates are a great start, or you may also choose to build your own queries. Take a look at the data sources across your environment and what security incident and event monitoring tools and processes you already have in place. What in particular do you need to monitor – attacks? logins of administrative accounts? events from different systems that may be related?

In addition, the Azure security baseline for Azure Sentinel takes guidance from the Azure Security Benchmark‘s security controls.   

Learn more:

MS Learn – Cloud-native security operations with Azure Sentinel

Docs – Tutorial: Detect threats out of the box

Docs – Tutorial: Create custom analytics rules to detect threats

Docs – Extend Azure Sentinel across workspaces and tenants



This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.