Process: Adding and removing exceptions to the Microsoft Sentinel Analytic Rule - Missing Firewall logs from Sentinel ingestion
When a change impacts a Firewall, it’s essential to include that Firewall in the exception lists to prevent the creation of False Positive Incidents.
Cyber Security manage Microsoft Sentinel and performs the process explained below.
IMPORTANT: To ensure we have optimal visibility of our Firewalls, it is important that we only “add” them to the Exception List as close to before the Change Window and then removing the Exception as quickly as possible after Change Window has ended.
Process:
1. Check the Change Window and set Calendar Dates Invites to the team for adding and removing exceptions for the Change.
Adding to Exemption List Process:
1. Go to Microsoft Sentinel -> Analytics -> Click on “Missing Firewall logs from Sentinel ingestion” and then Edit –
(Direct Link to Analytic Rule – Missing Firewall logs from Sentinel ingestion)
https://portal.azure.com/#view/Microsoft_Azure_Security_Insights/RuleEditor.ReactView/subscriptionId/c5b501f0-d7be-4167-a146-e724f5d2e662/resourceGroup/rg-sentinel-prd/workspaceName/la-sentinel-prd/trigger/edit/initiator/Analytics.ActiveRulesGrid/sourceId/aa3669bc-613f-4ad4-8a97-3758d97301aa/ruleKind/Scheduled
2. Click on “Set Rule Logic”
3. In the Rule Query, locate the affected Firewall (ex: “BEL-DC-01.mccc.mariecurie.local”)
4. Add in // before the affected Domain Controller (ex: //”NET13918-READING-FW3”). This will comment out the DC from the KQL query.
IF NET13918-ELLAND-FW2 WAS COMMENTED OUT, ENSURE YOU DELETE THE , (COMMA) AFTER "NET13918-READING-FW4"
5. Click on “Review and Create” and wait for the validation to complete.
6. Ensure that the Validation is passed. If it has not passed, look at the error as it shows you the Line where and what the error is for you to troubleshoot.
7. Click on “Save”
Removing from Exemption List Process:
This process is the same as adding except you remove the //
1. Go to Microsoft Sentinel -> Analytics -> Click on “Missing Firewall logs from Sentinel ingestion” and then Edit –
(Direct Link to Analytic Rule – Missing Firewall logs from Sentinel ingestion)
https://portal.azure.com/#view/Microsoft_Azure_Security_Insights/RuleEditor.ReactView/subscriptionId/c5b501f0-d7be-4167-a146-e724f5d2e662/resourceGroup/rg-sentinel-prd/workspaceName/la-sentinel-prd/trigger/edit/initiator/Analytics.ActiveRulesGrid/sourceId/aa3669bc-613f-4ad4-8a97-3758d97301aa/ruleKind/Scheduled
2. Click on “Set Rule Logic”
3. In the Rule Query, locate the affect Domain Controller (ex: //”NET13918-READING-FW3”).
4. Remove the // before the affected Domain Controller (ex: ”NET13918-READING-FW3”).
IF NET13918-ELLAND-FW2 WAS COMMENTED OUT, ENSURE YOU ADD THE , (COMMA) AFTER "NET13918-READING-FW4"
5. Click on “Review and Create” and wait for the validation to complete.
6. Click on Save