Skip to content
/ UnhealthyStateRuleSentinel Public

This Repository provides detection rule when Recommendation of Microsoft Defender for Cloud state was changed to "Unhealthy".

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hisashin0728/UnhealthyStateRuleSentinel

BranchesTags

Repository files navigation

Detection 'Unhealthy' State of Security Recommendations from Microsoft Defender for Cloud on Analytics Rule in Microsoft Sentinel

This Repository provides detection rule when Recommendation of Microsoft Defender for Cloud state was changed to "Unhealthy".

1. System Diagram

Configuration image as follows. image

2. How to import

You can import template json from Microsoft Sentinel. Caution:

  • Requires "Recommendation" table in the target LogAnalytics workspace.
  • Previously you need to configure "Continuous Export" on Microsoft Defender for Cloud to the Sentinel Log Analytics Workspace.

image

3. Current KQL Query in Analytics Rule

Current version, here is a Kusto Query in this package.

let queryfrequency = 1h;
//Watchlist as a variable
let ASC_Rec_watchlist = (_GetWatchlist('ASC_Reco')
    | project ASC_Reco);
SecurityRecommendation
| where TimeGenerated > ago(queryfrequency)
| where RecommendationState == "Unhealthy"
| where IsSnapshot == "false" // For Continuous Export without Snapshot
| where Environment == "Azure" //For Azure
| where RecommendationName in (ASC_Rec_watchlist)
| extend
    FirstEvaluationDate = tostring(Properties.status.firstEvaluationDate),
    StatusChangeDate = tostring(Properties.status.statusChangeDate)
| extend
    SubscriptionId = split(AssessedResourceId, "/", 2)[0],
    ResouceGroup = split(AssessedResourceId, "/", 4)[0]
| extend tostring(SubscriptionId)
| lookup kind=leftouter (
    arg("").resourcecontainers
    | where type == "microsoft.resources/subscriptions"
    )
    on $left.SubscriptionId == $right.subscriptionId
| project
    TimeGenerated,
    RecommendationName,
    RecommendationState,
    RecommendationSeverity,
    FirstEvaluationDate,
    StatusChangeDate,
    AssessedResourceId,
    SubscriptionId,
    name,
    ResouceGroup,
    Description,
    RemediationDescription
  • For AWS Recommentations
let dt_lookBack = ago(1d);
let history_lookBack = ago(7d);
SecurityRecommendation
| where TimeGenerated >= dt_lookBack
| where RecommendationState == "Unhealthy"
| where IsSnapshot == "false" // For Continuous Export without Snapshot
| where Environment == "AWS" //For AWS
//
// Except last 7 Days Unhealthy AWS Resources by join leftanti
| join kind=leftanti (
    SecurityRecommendation
    | where TimeGenerated between(history_lookBack .. dt_lookBack)
    | where RecommendationState == "Unhealthy"
    | where IsSnapshot == "false"
    | where Environment == "AWS"
    | summarize count() by RecommendationName,AssessedResourceId
    )
     on RecommendationName,AssessedResourceId
//
// Extend AWS Resource Information
| extend
    FirstEvaluationDate = tostring(Properties.status.firstEvaluationDate),
    StatusChangeDate = tostring(Properties.status.statusChangeDate),
    aws_arn = tostring(RecommendationAdditionalData.nativeCloudUniqueIdentifier),
    aws_account = tostring(RecommendationAdditionalData.hierarchyId),
    aws_region = tostring(RecommendationAdditionalData.region)
| project TimeGenerated,RecommendationName,RecommendationSeverity,FirstEvaluationDate,StatusChangeDate, Description
, RemediationDescription,aws_account, aws_region,aws_arn

If you want to monitor multi-cloud environment, comment out '| where Environment == "Azure"'.

4. (Option) Filtering Recommendations via WatchList

I suppose many customers would like to filter specific recommendations that was triggered to "Unhealthy" Status, because normaly ASC (Microsoft Defender for Cloud) generates many recommendation events. If you want to filter and detect alert for specific Recommendations, you can use Watchlist feature for filtering recommendations.

Here is customized package for template json file. You can easily upload and import customized analytics rule on Microsoft Sentinel.

After importing template json, you need to create two watchlists.

  1. "ASC_Reco" watchlist for filtering recommendations.

Here is a sample CSV for Watchlist.

ASC_Reco
TLS should be updated to the latest version for API apps
TLS should be updated to the latest version for function apps
TLS should be updated to the latest version for web apps
Microsoft Defender for servers should be enabled
Microsoft Defender for Containers should be enabled
Microsoft Defender for Azure SQL Database servers should be enabled
Microsoft Defender for DNS should be enabled
Microsoft Defender for open-source relational databases should be enabled
Microsoft Defender for Resource Manager should be enabled
Microsoft Defender for SQL on machines should be enabled on workspaces
Microsoft Defender for SQL servers on machines should be enabled
Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers
Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances
Microsoft Defender for Storage should be enabled
Microsoft Defender for Key Vault should be enabled

5. CurrentParameter

Here is a current parameter on this package.

Parameter Value Description
queryfrequency 1h
RecommendationName Recommendation Name from Microsoft Defender for Cloud
RecommendationSeverity High/Middle/Low Recommendation Severity
FirstEvaluationDate First Evaluation Date by Azure Policy
StatusChangeDate Status Change Date by Azure Policy

About

This Repository provides detection rule when Recommendation of Microsoft Defender for Cloud state was changed to "Unhealthy".

Topics

microsoft azure microsoft-azure microsoft-defender

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published