CyberArk Audit analytics rules

[nitsan-tzur]

Required items, please complete

Change(s):

• Add Analytics Rules

Reason for Change(s):

• See guidance below

Version Updated:

• Required only for Detections/Analytic Rule templates
• See guidance below

Testing Completed:

• See guidance below

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

[v-maheshbh]

Hi @nitsan-tzur Incorporate the analytical rule into the data file and packaged the solution.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Incorporate the analytical rule into the data file and packaged the solution.

Thanks!

Done

[v-maheshbh]

Hi @nitsan-tzur Kindly check 'MainTemplate' Analytical Rule is not visible in the Content Hub custom deployment. "Please repackage the solution and proceed with testing.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Kindly check 'MainTemplate' Analytical Rule is not visible in the Content Hub custom deployment. "Please repackage the solution and proceed with testing.

Thanks!

Hi @v-maheshbh
Thanks for your input. Package recreated with createSolutionV3.ps1

[Copilot]

Pull Request Overview

This PR adds three analytics rules to the CyberArk Audit solution for Microsoft Sentinel, updating the solution version from 3.0.0/3.0.1 to 3.0.2. The new analytics rules detect brute-force attempts, sensitive permission changes, and high-risk actions outside business hours.

• Add three analytic rule templates for security threat detection
• Update solution version to 3.0.2 across configuration files
• Update Python runtime version from 3.8 to 3.10 in deployment documentation

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
Solution_CyberArkAudit.json	Adds references to three new analytics rule YAML files and updates version to 3.0.2
ReleaseNotes.md	Documents version 3.0.2 release with analytics rules addition
mainTemplate.json	Adds analytics rule template definitions and updates version references from 3.0.1 to 3.0.2
createUiDefinition.json	Adds analytics section to UI with descriptions for the three new rules
CyberArkAuditSensitiveChanges.yaml	New analytics rule detecting sensitive permission and entitlement changes
CyberArkAuditMultiFailedAndSuccess.yaml	New analytics rule detecting multiple failed actions followed by success
CyberArkAuditHighRiskActions.yaml	New analytics rule detecting high-risk actions outside business hours

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Empty string values for _analyticRulecontentId2 and the empty parameters in resourceId() and uniquestring() calls will prevent proper resource identification. These should contain the actual analytics rule content IDs.

Suggested change

	"_analyticRulecontentId1": "",
	"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '')]",
	"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('')))]",
	"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','','-', '1.0.0')))]"
	},
	"analyticRuleObject2": {
	"analyticRuleVersion2": "1.0.0",
	"_analyticRulecontentId2": "",
	"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '')]",
	"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('')))]",
	"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','','-', '1.0.0')))]"
	},
	"analyticRuleObject3": {
	"analyticRuleVersion3": "1.0.0",
	"_analyticRulecontentId3": "",
	"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '')]",
	"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('')))]",
	"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','','-', '1.0.0')))]"
	"_analyticRulecontentId1": "CyberArkAudit-AnalyticRule1",
	"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('_analyticRulecontentId1'))]",
	"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
	"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', '1.0.0')))]"
	},
	"analyticRuleObject2": {
	"analyticRuleVersion2": "1.0.0",
	"_analyticRulecontentId2": "CyberArkAudit-AnalyticRule2",
	"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('_analyticRulecontentId2'))]",
	"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
	"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', '1.0.0')))]"
	},
	"analyticRuleObject3": {
	"analyticRuleVersion3": "1.0.0",
	"_analyticRulecontentId3": "CyberArkAudit-AnalyticRule3",
	"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('_analyticRulecontentId3'))]",
	"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
	"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', '1.0.0')))]"

[Copilot]

Empty string values for _analyticRulecontentId3 and the empty parameters in resourceId() and uniquestring() calls will prevent proper resource identification. These should contain the actual analytics rule content IDs.

Suggested change

	"_analyticRulecontentId3": "",
	"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '')]",
	"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('')))]",
	"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','','-', '1.0.0')))]"
	"_analyticRulecontentId3": "CyberArkAudit-AnalyticRule3",
	"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRuleObject3')._analyticRulecontentId3)]",
	"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('analyticRuleObject3')._analyticRulecontentId3)))]",
	"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('analyticRuleObject3')._analyticRulecontentId3,'-', '1.0.0')))]"

[v-maheshbh]

Hi @nitsan-tzur Kindly check Analytical rules and resolve above comments.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Kindly check Analytical rules and resolve above comments.

Thanks!

Hi @v-maheshbh,
Copilot's suggestions on time format looks good to me. The ones on template format is harder to evaluate as the template itself was autogenerated by PowerShell tool

[v-maheshbh]

Hi @nitsan-tzur Kindly update Analytical rule files as getting custom deployment error in main template. once fixed then repackage it.
Also, note that changes were made directly in the Main Template, which is not the correct approach.
Please refer existing Analytical rule in Azure-Sentinel Repo.

Thanks!

[nitsan-tzur]

Hi @nitsan-tzur Kindly update Analytical rule files as getting custom deployment error in main template. once fixed then repackage it. Also, note that changes were made directly in the Main Template, which is not the correct approach. Please refer existing Analytical rule in Azure-Sentinel Repo.

Thanks!

Hi @v-maheshbh ,

Is it possible to recreate Copilot's suggestions on your end? The appear on PR as outdated and can't be committed.
Thanks

[Copilot]

Pull Request Overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[v-maheshbh]

Hi @nitsan-tzur Kindly refer to this document for analytical rules: https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide
Please update the queryFrequency, queryPeriod, triggerOperator, and triggerThreshold values accordingly, package it and do the testing.

Thanks!

[nitsan-tzur]

update the queryFrequency, queryPeriod, triggerOperator, and triggerThreshold values

Done

[v-maheshbh]

Hi @nitsan-tzur kindly attached table logs testing screenshot.

Thanks!

[nitsan-tzur]

@v-maheshbh adding screenshots of Analytics Rule run to demonstrate error-free execution