Hello everyone,

I recently exported analytics rules from Microsoft Sentinel using the API. Now, I need to make some modifications to the exported file, specifically changing the id of the rules so that I can re-import them via the Microsoft Sentinel interface.

Has anyone done this before, and could you provide some guidance on how to properly modify the id of each object? 

Any help or advice would be greatly appreciated!

JSON

{
"value": [
{
"etag": "\"0e0282dc-0000-0100-0000-65c91adf0000\"",
"id": "/subscriptions/e00cfe23-17ab-4d6f-8e56-1507c9254481/resourceGroups/rg-soc/providers/Microsoft.OperationalInsights/workspaces/ws-soc/providers/Microsoft.SecurityInsights/alertRules/a1c61693-0fa9-4aab-b8d8-5cc3a574c837",
"kind": "Scheduled",
"name": "a1c61693-0fa9-4aab-b8d8-5cc3a574c837",
"properties": {
"alertRuleTemplateName": "2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6",
"description": "This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious authentication events on an AD FS server. The results then get\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\nsensitive information such as AD FS certificates.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReferences: \nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\nhttps://twitter.com/OTR_Community/status/1387038995016732672\n",
"displayName": "AD FS Remote Auth Sync Connection",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [
],
"groupByCustomDetails": [
],
"groupByEntities": [
],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"lastModifiedUtc": "2024-02-11T19:07:10.9714025Z",
"query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\n//let adfsuser = 'adfsadmin';\n// Identify ADFS Servers\nlet ADFS_Servers = (\n SecurityEvent\n //| where TimeGenerated > ago(timeframe+lookback)\n | where EventSourceName == 'AD FS Auditing'\n | distinct Computer\n);\nSecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\n // for relying party '-' was successfully authenticated.\n | where EventID == 412\n | extend EventData = parse_xml(EventData).EventData.Data\n | extend InstanceId = tostring(EventData[0])\n| join kind=inner\n(\n SecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // Events to identify caller identity from event 412\n | where EventID == 501\n | extend EventData = parse_xml(EventData).EventData.Data\n | where tostring(EventData[1]) contains 'identity/claims/name'\n | extend InstanceId = tostring(EventData[0])\n | extend ClaimsName = tostring(EventData[2])\n // Filter on the use of a specific AD FS user account\n //| where ClaimsName contains adfsuser\n)\non $left.InstanceId == $right.InstanceId\n| join kind=inner\n(\n SecurityEvent\n | where EventID == 5156\n | where Computer in~ (ADFS_Servers)\n | extend EventData = parse_xml(EventData).EventData.Data\n | mv-expand bagexpansion=array EventData\n | evaluate bag_unpack(EventData)\n | extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n | extend DestPort = column_ifexists(\"DestPort\", \"\"),\n Direction = column_ifexists(\"Direction\", \"\"),\n Application = column_ifexists(\"Application\", \"\"),\n DestAddress = column_ifexists(\"DestAddress\", \"\"),\n SourceAddress = column_ifexists(\"SourceAddress\", \"\"),\n SourcePort = column_ifexists(\"SourcePort\", \"\")\n // Look for inbound connections from endpoints on port 80\n | where DestPort == 80 and Direction == '%%14592' and Application == 'System'\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1') \n)\non $left.Computer == $right.Computer\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection"
],
"techniques": [
"T1005"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.SecurityInsights/alertRules"
},
{
"etag": "\"0e02eadc-0000-0100-0000-65c91b020000\"",
"id": "/subscriptions/e00cfe23-17ab-4d6f-8e56-1507c9254481/resourceGroups/rg-soc/providers/Microsoft.OperationalInsights/workspaces/ws-soc/providers/Microsoft.SecurityInsights/alertRules/34284b12-1db1-47c3-be76-2623e996cb8e",
"kind": "Scheduled",
"name": "34284b12-1db1-47c3-be76-2623e996cb8e",
"properties": {
"alertRuleTemplateName": "cf3ede88-a429-493b-9108-3e46d3c741f7",
"description": "Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\npossible mis-configuration of a service account within an environment.\nThe lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\nof 5 failures followed by a success for an account within 1 hour to surface an alert.",
"displayName": "SecurityEvent - Multiple authentication failures followed by a success",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IpAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [
],
"groupByCustomDetails": [
],
"groupByEntities": [
],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"lastModifiedUtc": "2024-02-11T19:07:46.303236Z",
"query": "let timeRange = 2h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID in (4624, 4625)\n| where IpAddress != \"-\" and isnotempty(Account)\n| extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes into 10 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort ready for sessionizing - by account and time of the authentication outcome\n| sort by Account asc, TimeGenerated asc\n| serialize\n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account\n// the session must not start with a success, and must end with one\n| where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, list_Outcome\n// where the number of failures before the success is above the threshold\n| where FailureCountBeforeSuccess >= authenticationThreshold\n// expand out ip and computer for customer entity assignment\n| mv-expand set_IpAddress, set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| extend timestamp=StartTime, NTDomain = split(Account, '\\\\', 0)[0], Name = split(Account, '\\\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1110"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.SecurityInsights/alertRules"
}
]
}