[Feature Request] Support new anomaly rule type #180
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary of the new feature/enhancement
Sentinel now has an anomaly rule type in preview - https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-built-in#anomaly
Anomaly rules can be duplicated from the inbuilt templates to allow tuning parameters.
A sample of one of the inbuilt anomaly rules from
Get-AzSentinelAlertRule:{ "alertRuleTemplateName": "XXX", "displayName": "(Preview) Attempted computer bruteforce", "description": "This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.", "anomalyVersion": "1.2.2", "techniques": ["T1001"], "severity": "Informational", "customizableObservations": { "multiSelectObservations": null, "singleSelectObservations": null, "prioritizeExcludeObservations": null, "thresholdObservations": [ "@{minimum=0; maximum=1; value=0.4; name=Score; description=Generate an anomaly when score is greater than the chosen value; sequenceNumber=1; rerun=NotRequired}" ], "singleValueObservations": null }, "frequency": "P1D", "ruleStatus": "Production", "isDefaultRule": true, "anomalyRuleVersion": 0, "enabled": true, "tactics": ["InitialAccess"], "lastModifiedUtc": "2021-05-24T01:53:45.8957492Z", "name": "XXX", "etag": "XXX", "id": "/subscriptions/XXX/resourceGroups/XXX/providers/Microsoft.OperationalInsights/workspaces/XXX/providers/Microsoft.SecurityInsights/alertRules/XXX", "kind": "Anomaly", "playbookName": "" }The text was updated successfully, but these errors were encountered: