In this section will create a detection within Azure Monitor that aligns with MITRE Att&CK.,T1562.008. We will delete the Network Watcher Resource within the tenant and send an email notification group.
1. Create a monitoring rule within the Azure Monitor Service and from the drop down select 'Create Rule'
2. Create the alert rule with the scope details provided
3. Click 'Next' or 'Condition' and Select 'Custom Log Search' from Signal Name
4. Copy and paste the followng query provided below and select 'Continue Editting Alert'.
AzureActivity
| where OperationNameValue contains "MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE"
5. Set the following parameters for the rule.
7. Create an Action Group (Notification Group) for alert notification
8. Fill in the following options highlighted and then hit 'Notifications'
9. Fill in the appropriate information and ensure to use your own email.
10. Review and Create the Alert Rule
11. Once Created you should see something similar to this.
12. Select 'Details and fill out the information as shown.
13. In order to map controls and keep control inventory add the tag below.
14. Verify the configuration of the rule and create it.
15. Trigger the rule by deleting the associated Network Watcher in the 'Sec-Lab' resource group.
16. Confirm deletion as a side pane will appear.
17. An alert will trigger within the Azure Monitor Dashboard
The rule can take up to 30-45 minutes to fully trigger.
18. Click on the alert to review it
19. An email will be sent to the address designated and will look like this.