The next query will narrow this down to all the actions taken by a specific user in AD in the last 24 hours (remember, all users who have access to Microsoft Sentinel will have an Azure AD account):įinal example query – this query shows all the delete operations in your Sentinel workspace: However, this is far too broad to use in a meaningful way, so we can start to narrow this down some more. This will list all Sentinel-specific activities within the time frame. | where OperationNameValue contains "SecurityInsights" To list all the Sentinel related Azure Activity logs in the last 24 hours, simply use this query: | summarize arg_max(Queries, *) by UserPrincipalNameĪs in other parts of Azure, you can use the AzureActivity table in log analytics to query actions taken on your Sentinel workspace. | project UserDisplayName, UserPrincipalName, Queries
| extend UserPrincipalName = AADEmail, Queries = events_count | summarize events_count=count() by AADEmail Summarize who ran the most queries in the past week: | extend User = AADEmail, QueryRunTime = StatsCPUTimeMs |summarize arg_max(StatsCPUTimeMs, *) by AADClientId Show which users ran the most CPU intensive queries based on CPU used and length of query time: The number of queries where anything other than HTTP response request 200 OK is received (i.e., the query failed): | summarize events_count=count() by bin(TimeGenerated, 1d) How many queries have run in the last week, on a per-day basis: Here are a few examples of the queries you could run on this table:
AGENT ACTIVITY AUDIT FULL
Ternovsky has written a blog post on this process that you can find here.Ī full list of the audit data contained within these columns can be found here.
AGENT ACTIVITY AUDIT HOW TO
Click here for more information on how to do this if you’re unfamiliar with the process. Since this table isn’t enabled by default in your Log Analytics workspace, you need to enable this in your workspace's Diagnostics settings. This includes information such as when a query was run, who ran it, what tool was used, the query text, and performance statistics describing the query's execution. The LAQueryLogs table containing log query audit logs provides telemetry about log queries run in Log Analytics, the underlying query engine of Sentinel. In the following sections, we will show you how to set up these tables and provide examples of the types of queries you could run with this audit data. There are two tables we can use for auditing Sentinel activities:
The accompanying Workbook to this blog can be found here. In this blog, we will explore how you can audit your organization’s SOC if you use AMicrosoft Sentinel and how to get the visibility you need about what activities are being performed within your Sentinel environment. It is important to understand the who/what/when’s of activities within your Microsoft Sentinel instance. Head to Audit Log and click on the funnel icon on the top right corner.Ĭhoose the date range for which you wish to view the audit log.Many customers require the ability to audit what happens in their SOC environment for both internal and external compliance requirements. You can filter audit log based on a specific date range or by object type (Account, Plan & Billing, Group and Agent). Since the page presents too much information, you can also filter the audit log based on your preference.
0 kommentar(er)
