Add Sentinel analytics rule ARM templates for all 13 retail detection rules#76
Merged
Conversation
… rules Converts every KQL rule in detection-rules/retail/ into a deployable Microsoft Sentinel analytics rule ARM template under sentinel/analytics-rules/. Each template embeds the full KQL query inline and carries MITRE tactics, techniques, entity mappings, and customDetails (PlaybookTrigger, RiskScore). Closes #69
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
The file was stored with literal \n sequences instead of real newlines (MCP push_files encoding bug from previous session), causing syntax errors in pytest and flake8 on every branch forked from dev.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #69
Adds 13 Microsoft Sentinel analytics rule ARM templates under
sentinel/analytics-rules/, one for each retail KQL detection rule. Each template is deployable via Azure CLI or the Sentinel UI Analytics import feature and embeds the full KQL query inline.Files added
Template schema
Each ARM template uses
Microsoft.OperationalInsights/workspaces/providers/alertRules(kind: Scheduled, API version 2022-11-01-preview) and includes:displayName,description,severityqueryfield)queryFrequencyandqueryPeriod(PT5M / PT15M / PT30M depending on rule)tacticsandtechniques(MITRE ATT&CK)entityMappings(Account, Host, IP, Process, Mailbox as appropriate)customDetails: PlaybookTrigger, RiskScore, and a rule-specific fieldrequiredDataConnectorsreferencing the RetailShield connectorHow to test
Deploy a single rule to a dev Sentinel workspace:
Verify the rule appears under Sentinel → Analytics with the correct name, severity, frequency, and tactics.
Import via UI: Open Sentinel → Analytics → Import → select any
.jsonfrom this directory. Confirm the rule preview shows the correct KQL and metadata before saving.JSON schema validation: Run
python -m json.tool sentinel/analytics-rules/phishing_detection.json(or any file) to confirm valid JSON.Spot-check entity mappings: For
mfa_fatigue.json, verifyentityMappingscontains Account (UserPrincipalName) and IP (IPAddress). Forransomware_indicator.json, verify Host (DeviceName) and Process (ProcessId, CommandLine).Confirm all 13 rules are present and no KQL file was missed:
Generated by Claude Code