Forum Discussion
cyberHardik
May 31, 2021Copper Contributor
Sentinel data Connector Health Status -email notification
Hey guys, I have created a playbook for monitoring sentinel data connectors health and an email notification is setup if there is no logs received for any connector in last 48 hrs . It is fully ...
EricStarker
Jun 07, 2021Former Employee
cyberHardik Thanks for your question! This Tech Community Discussion space is intended for questions and discussions specifically around the Tech Community website itself. I've moved your question to the Azure Sentinel discussion space - please ask questions about Azure Sentinel there in the future.
CliveWatson
Microsoft
Jun 08, 2021cyberHardik
To compare Syslog and CEF, you could join the past 2days with the previous 14days and compare them, this is an example
union Syslog, CommonSecurityLog
| where TimeGenerated between (startofday(ago(14d)) .. endofday(ago(3d)))
| summarize dcount(DeviceVendor), make_set(DeviceVendor) by Type
| join (
union Syslog, CommonSecurityLog
| where TimeGenerated > ago(2d)
| project TimeGenerated, Type, DeviceVendor
| summarize Twodays=dcount(DeviceVendor), make_set(DeviceVendor) by Type
) on $left.Type == $right.Type
| project-rename TwoWeeks = dcount_DeviceVendor
| extend weHaveLess = iif(Twodays < TwoWeeks,'We have less Vendors than before','')
| project-away Type1
Maybe in your reporting (run a new query in the Playbook) to show, the Sources connected over 14days and which are outside of the SLA. The Usage table (whilst having less data) is very fast as its aggregated already. Again and example you can build on, I switched to hours and only sources over 12hrs with no data, there is an SLA column to show those over 48hrs
Usage
| where TimeGenerated > startofday(ago(14d))
| summarize last_log = datetime_diff("hour", now(), max(TimeGenerated)),last_event_received = max(TimeGenerated) by TableName=DataType , Solution
| extend slaUnder2Days = iff(last_log <=48,"OK","SLA not ok")
| where last_log > 12
| order by last_log desc
- cyberHardikJun 11, 2021Copper ContributorI forget to mention that status of datatype also need to be fetched. whether they are connected or not . So I would fetch status of the datatype in tabular form. Please guide me as I am new to information security and less knowledge about KQL although I am enriching my knowledge day by day.
- CliveWatsonJun 11, 2021
Microsoft
Not currently, for now, you could use a IIF to create you own status column, much like this example
| extend status_= iff(last_log <=48,"Connected","Not Connected, or no data sent in time period")
- cyberHardikJun 11, 2021Copper ContributorCliveWatson,
Thank you for response and please allow me some time so that I can test and see whether its meet our client expectation or not. Moreover , i would like to know is there any way to populate connector name corresponding to data type?
waiting for your reply.- CliveWatsonJun 11, 2021
Microsoft
Not currently but this is being looked at. For now you have the Solution name.- cyberHardikJun 11, 2021Copper Contributor
Thankx alot for such a swift reply, I did tried to fetch 2 days logs and added solution name column but It is not getting populated against all data types. below is the sniff for better understanding :
is Solution name currently available for some data types only as I am inhabiting all data types ?
Moreover , extending new status column suffice my requirement.
- DeletedJun 08, 2021The MTC Community is great and helpful!
Thank you very much