%3CLINGO-SUB%20id%3D%22lingo-sub-1718328%22%20slang%3D%22en-US%22%3EAuditing%20Azure%20Sentinel%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1718328%22%20slang%3D%22en-US%22%3E%3CP%3EMany%20customers%20require%20the%20ability%20%26nbsp%3Bto%20audit%20what%20happens%20in%20their%20SOC%20environment%20for%20both%20internal%20and%20external%20compliance%20requirements%20.%20It%20is%20important%20to%20%26nbsp%3Bunderstand%20the%20who%2Fwhat%2Fwhen%E2%80%99s%20of%20activities%20within%20your%20Azure%20Sentinel%20instance.%20In%20this%20blog%2C%20we%20will%20explore%20how%20you%20can%20audit%20your%20organization%E2%80%99s%20SOC%20if%20you%20are%20using%20Azure%20Sentinel%20and%20how%20to%20get%20%26nbsp%3Bthe%20visibility%20you%20need%20with%20regard%20to%20what%20activities%20are%20being%20performed%20within%20your%20Sentinel%20environment.%20The%20accompanying%20Workbook%20to%20this%20blog%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FWorkbooks%2FWorkspaceAuditing.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20tables%20we%20can%20use%20for%20auditing%20Sentinel%20activities%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELAQueryLogs%3C%2FLI%3E%0A%3CLI%3EAzure%20Activity%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20the%20following%20sections%20we%20will%20show%20you%20how%20to%20set%20up%20these%20tables%20and%20provide%20examples%20of%20the%20types%20of%20queries%20that%20you%20could%20run%20with%20this%20audit%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Auditworkbook.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222477iF26C998DB3E90F04%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Auditworkbook.gif%22%20alt%3D%22Auditworkbook.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%20id%3D%22toc-hId--1242631962%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%20id%3D%22toc-hId-1244880871%22%3E%3CSTRONG%3ELAQueryLogs%20table%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20LAQueryLogs%20table%20containing%20log%20query%20audit%20logs%20provides%20telemetry%20about%20log%20queries%20run%20in%20Log%20Analytics%2C%20the%20underlying%20query%20engine%20of%20Sentinel.%20This%20includes%20information%20such%20as%20when%20a%20query%20was%20run%2C%20who%20ran%20it%2C%20what%20tool%20was%20used%2C%20the%20query%20text%2C%20and%20performance%20statistics%20describing%20the%20query's%20execution.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20this%20table%20isn%E2%80%99t%20enabled%20by%20default%20in%20your%20Log%20Analytics%20workspace%20you%20need%20to%20enable%20this%20in%20the%26nbsp%3B%3CSTRONG%3EDiagnostics%20settings%3C%2FSTRONG%3E%20of%20your%20workspace.%20Click%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-audit%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20for%20more%20information%20on%20how%20to%20do%20this%20if%20you%E2%80%99re%20unfamiliar%20with%20the%20process.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68646%22%20target%3D%22_blank%22%3E%40Evgeny%20Ternovsky%3C%2FA%3E%26nbsp%3Bhas%20written%20a%20blog%20post%20on%20this%20process%20that%20you%20can%20find%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-monitor%2Fmonitoring-queries-being-executed-in-your-azure-log-analytics%2Fba-p%2F1666621%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20full%20list%20of%20the%20audit%20data%20contained%20within%20these%20columns%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-audit%23audit-data%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Here%20are%20a%20few%20examples%20of%20the%20queries%20you%20could%20run%20on%20this%20table%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20many%20queries%20have%20run%20in%20the%20last%20week%2C%20on%20a%20per%20day%20basis%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ELAQueryLogs%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%0A%7C%20summarize%20events_count%3Dcount()%20by%20bin(TimeGenerated%2C%201d)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENumber%20of%20queries%20where%20anything%20other%20than%20HTTP%20response%20request%20200%20OK%20is%20received%20(i.e.%20the%20query%20failed)%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ELAQueryLogs%0A%7C%20where%20ResponseCode%20!%3D%20200%20%0A%7C%20count%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EShow%20which%20users%20ran%20the%20most%20CPU%20intensive%20queries%20based%20on%20CPU%26nbsp%3Bused%20and%20length%20of%20query%20time%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ELAQueryLogs%0A%7Csummarize%20arg_max(StatsCPUTimeMs%2C%20*)%20by%20AADClientId%0A%7C%20extend%20User%20%3D%20AADEmail%2C%20QueryRunTime%20%3D%20StatsCPUTimeMs%0A%7C%20project%20User%2C%20QueryRunTime%2C%20QueryText%0A%7C%20order%20by%20QueryRunTime%20desc%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESummarize%20who%20ran%20the%20most%20queries%20in%20the%20past%20week%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ELAQueryLogs%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%0A%7C%20summarize%20events_count%3Dcount()%20by%20AADEmail%0A%7C%20extend%20UserPrincipalName%20%3D%20AADEmail%2C%20Queries%20%3D%20events_count%0A%7C%20join%20kind%3D%20leftouter%20(%0A%20%20%20%20SigninLogs)%0A%20%20%20%20on%20UserPrincipalName%0A%7C%20project%20UserDisplayName%2C%20UserPrincipalName%2C%20Queries%0A%7C%20summarize%20arg_max(Queries%2C%20*)%20by%20UserPrincipalName%0A%7C%20sort%20by%20Queries%20desc%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22auditqueryexample.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222478iAFA0174CD934A605%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22auditqueryexample.gif%22%20alt%3D%22auditqueryexample.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%20id%3D%22toc-hId-1935442345%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH2%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%20id%3D%22toc-hId-1924939241%22%3E%3CSTRONG%3EAzureActivity%20%3C%2FSTRONG%3E%3CSTRONG%3Etable%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20in%20other%20parts%20of%20Azure%2C%20you%20can%20use%20the%20AzureActivity%20table%20in%20log%20analytics%20to%20query%20actions%20taken%20on%20your%20Sentinel%20workspace.%20To%20list%20all%20the%20Sentinel%20related%20Azure%20Activity%20logs%20in%20the%20last%2024%20hours%2C%20simply%20use%20this%20query%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EAzureActivity%0A%7C%20where%20OperationNameValue%20contains%20%22SecurityInsights%22%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20will%20list%20all%20Sentinel-specific%20activities%20within%20the%20time%20frame.%20However%2C%20this%20is%20far%20too%20broad%20to%20use%20in%20a%20meaningful%20way%20so%20we%20can%20start%20to%20narrow%20this%20down%20some%20more.%20The%20next%20query%20will%20narrow%20this%20down%20to%20all%20the%20actions%20taken%20by%20a%20specific%20user%20in%20AD%20in%20the%20last%2024%20hours%20(remember%2C%20all%20users%20who%20have%20access%20to%20Azure%20Sentinel%20will%20have%20an%20Azure%20AD%20account)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EAzureActivity%0A%7C%20where%20OperationNameValue%20contains%20%22SecurityInsights%22%0A%7C%20where%20Caller%20%3D%3D%20%22%5BAzureAD%20username%5D%22%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinal%20example%20query%20%E2%80%93%20this%20query%20shows%20all%20the%20delete%20operations%20in%20your%20Sentinel%20workspace%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EAzureActivity%0A%7C%20where%20OperationNameValue%20contains%20%22SecurityInsights%22%0A%7C%20where%20OperationName%20contains%20%22Delete%22%0A%7C%20where%20ActivityStatusValue%20contains%20%22Succeeded%22%0A%7C%20project%20TimeGenerated%2C%20Caller%2C%20OperationName%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20mix%20these%20up%20and%20add%20even%20more%20parameters%20to%20search%20the%20AzureActivities%20log%20to%20explore%20these%20logs%20even%20more%2C%20depending%20on%20what%20your%20organization%20needs%20to%20report%20on.%20Below%20is%20a%20selection%20of%20some%20of%20the%20actions%20you%20can%20search%20for%20in%20this%20table%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUpdate%20Incidents%2FAlert%20Rules%2FIncident%20Comments%2FCases%2FData%20Connectors%2FThreat%20Intelligence%2FBookmarks%3C%2FLI%3E%0A%3CLI%3ECreate%20Case%20Comments%2FIncident%20Comments%2FWatchlists%2FAlert%20Rules%3C%2FLI%3E%0A%3CLI%3EDelete%20Bookmarks%2FAlert%20Rules%2FThreat%20Intelligence%2FData%20Connectors%2FIncidents%2FSettings%2FWatchlists%3C%2FLI%3E%0A%3CLI%3ECheck%20user%20authorization%20and%20license%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%20id%3D%22toc-hId--1679466581%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22auditqueryexample2.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222479iFB0E31E27E72B119%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22auditqueryexample2.gif%22%20alt%3D%22auditqueryexample2.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%20id%3D%22toc-hId--1689969685%22%3E%3CSTRONG%3EAlerting%20on%20Sentinel%20activities%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20may%20want%20to%20take%20this%20one%20step%20further%20and%20use%20Sentinel%20audit%20logs%20for%20proactive%20alerts%20in%20your%20environment.%20For%20example%2C%20if%20you%20have%20sensitive%20tables%20in%20your%20workspace%20that%20should%20not%20typically%20be%20queried%2C%20you%20could%20set%20up%20a%20detection%20to%20alert%20you%20to%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ELAQueryLogs%0A%7C%20where%20QueryText%20contains%20%22%5BName%20of%20sensitive%20table%5D%22%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%0A%7C%20extend%20User%20%3D%20AADEmail%2C%20Query%20%3D%20QueryText%0A%7C%20project%20User%2C%20Query%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%20id%3D%22toc-hId-797543148%22%3E%3CSTRONG%3ESentinel%20audit%20activities%20Workbook%3C%2FSTRONG%3E%26nbsp%3B%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20created%20a%20Workbook%20to%20assist%20you%20in%20monitoring%20activities%20in%20Sentinel.%20Please%20check%20it%20out%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FWorkbooks%2FWorkspaceAuditing.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20if%20you%20have%20any%20improvements%20or%20have%20made%20your%20own%20version%20you'd%20like%20to%20share%2C%20please%20submit%20a%20PR%20to%20our%20GitHub%20repo!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EWith%20thanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215052%22%20target%3D%22_blank%22%3E%40Jeremy%20Tan%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572591%22%20target%3D%22_blank%22%3E%40Matt_Lowe%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3Bfor%20their%20feedback%20and%20inputs%20to%20this%20article.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1718328%22%20slang%3D%22en-US%22%3E%3CP%3EEver%20wondered%20how%20you%20can%20audit%20the%20activities%20taking%20place%20within%20your%20Azure%20Sentinel%20workspace%3F%20In%20this%20blog%2C%20we'll%20explore%20how%20you%20can%20do%20just%20that.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Auditworkbook.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222475iD4663AFD991F84B1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Auditworkbook.gif%22%20alt%3D%22Auditworkbook.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1718328%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWhat's%20New%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1727697%22%20slang%3D%22en-US%22%3ERe%3A%20Auditing%20Azure%20Sentinel%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1727697%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3Bfor%20Sharing%20with%20the%20Community%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1986038%22%20slang%3D%22en-US%22%3ERe%3A%20Auditing%20Azure%20Sentinel%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1986038%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EGood%20afternoon%20people!%20I%20need%20to%20do%20an%20audit%20process%20to%20identify%20which%20rules%20were%20created%2C%20changed%20or%20deleted%2C%20however%2C%20through%20the%20logs%20in%20the%20%5BAzureActivity%5D%20table%2C%20I%20can%20see%20only%20the%20rule%20id%2C%20which%20is%20not%20readable%20and%20identifiable.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20find%20the%20name%20of%20the%20rule%20that%20has%20been%20modified%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1987921%22%20slang%3D%22en-US%22%3ERe%3A%20Auditing%20Azure%20Sentinel%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1987921%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F670054%22%20target%3D%22_blank%22%3E%40Luizao_f%3C%2FA%3E%26nbsp%3Brule%20ID%20can%20be%20found%20on%20the%20first%20page%20in%20the%20Analytics%20Rule%20Wizard%2C%20you%20can%20correlate%20them%20that%20way.%20I%20know%20not%20the%20easiest%2C%20but%20it%20can%20be%20done!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1988516%22%20slang%3D%22en-US%22%3ERe%3A%20Auditing%20Azure%20Sentinel%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1988516%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F538161%22%20target%3D%22_blank%22%3E%40Sarah_Young%3C%2FA%3E%26nbsp%3B%3CSPAN%3Ebut%20how%20do%20I%20%22access%22%20this%20id%20at%20the%20KQL%20level%3F%20Because%20I%20want%20to%20correlate%20to%20display%20the%20name%20via%20KQL%2C%20in%20case%20I%20want%20to%20create%20some%20trigger%20resource%20in%20cases%20of%20these%20types%20of%20actions.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1996263%22%20slang%3D%22en-US%22%3ERe%3A%20Auditing%20Azure%20Sentinel%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1996263%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F670054%22%20target%3D%22_blank%22%3E%40Luizao_f%3C%2FA%3E%26nbsp%3Bthere%20isn't%20a%20way%20to%20correlate%20in%20native%20tables%20but%20you%20could%20create%20a%20lookup%20in%20watchlist%20that%20matched%20rule%20ID%20to%20rule%20name.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Many customers require the ability to audit what happens in their SOC environment for both internal and external compliance requirements. It is important to understand the who/what/when’s of activities within your Azure Sentinel instance. In this blog, we will explore how you can audit your organization’s SOC if you use Azure Sentinel and how to get the visibility you need about what activities are being performed within your Sentinel environment. The accompanying Workbook to this blog can be found here.

 

There are two tables we can use for auditing Sentinel activities:

  • LAQueryLogs
  • Azure Activity

In the following sections, we will show you how to set up these tables and provide examples of the types of queries you could run with this audit data.

 

Auditworkbook.gif

 

LAQueryLogs table

 

The LAQueryLogs table containing log query audit logs provides telemetry about log queries run in Log Analytics, the underlying query engine of Sentinel. This includes information such as when a query was run, who ran it, what tool was used, the query text, and performance statistics describing the query's execution.

 

Since this table isn’t enabled by default in your Log Analytics workspace, you need to enable this in your workspace's Diagnostics settings. Click here for more information on how to do this if you’re unfamiliar with the process. @Evgeny Ternovsky has written a blog post on this process that you can find here.

 

A full list of the audit data contained within these columns can be found here. Here are a few examples of the queries you could run on this table:

 

How many queries have run in the last week, on a per-day basis:

 

 

LAQueryLogs
| where TimeGenerated > ago(7d)
| summarize events_count=count() by bin(TimeGenerated, 1d)

 

 

 

The number of queries where anything other than HTTP response request 200 OK is received (i.e., the query failed):

 

 

LAQueryLogs
| where ResponseCode != 200 
| count 

 

 

 

Show which users ran the most CPU intensive queries based on CPU used and length of query time:

 

 

LAQueryLogs
|summarize arg_max(StatsCPUTimeMs, *) by AADClientId
| extend User = AADEmail, QueryRunTime = StatsCPUTimeMs
| project User, QueryRunTime, QueryText
| order by QueryRunTime desc

 

 

 

Summarize who ran the most queries in the past week:

 

 

LAQueryLogs
| where TimeGenerated > ago(7d)
| summarize events_count=count() by AADEmail
| extend UserPrincipalName = AADEmail, Queries = events_count
| join kind= leftouter (
    SigninLogs)
    on UserPrincipalName
| project UserDisplayName, UserPrincipalName, Queries
| summarize arg_max(Queries, *) by UserPrincipalName
| sort by Queries desc

 

 

auditqueryexample.gif

 

AzureActivity table

 

As in other parts of Azure, you can use the AzureActivity table in log analytics to query actions taken on your Sentinel workspace. To list all the Sentinel related Azure Activity logs in the last 24 hours, simply use this query:

 

 

AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where TimeGenerated > ago(1d)

 

 

This will list all Sentinel-specific activities within the time frame. However, this is far too broad to use in a meaningful way, so we can start to narrow this down some more. The next query will narrow this down to all the actions taken by a specific user in AD in the last 24 hours (remember, all users who have access to Azure Sentinel will have an Azure AD account):

 

 

AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where Caller == "[AzureAD username]"
| where TimeGenerated > ago(1d)

 

 

Final example query – this query shows all the delete operations in your Sentinel workspace:

 

 

AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where OperationName contains "Delete"
| where ActivityStatusValue contains "Succeeded"
| project TimeGenerated, Caller, OperationName

 

 

You can mix these up and add even more parameters to search the AzureActivities log to explore these logs even more, depending on what your organization needs to report on. Below is a selection of some of the actions you can search for in this table:

 

  • Update Incidents/Alert Rules/Incident Comments/Cases/Data Connectors/Threat Intelligence/Bookmarks
  • Create Case Comments/Incident Comments/Watchlists/Alert Rules
  • Delete Bookmarks/Alert Rules/Threat Intelligence/Data Connectors/Incidents/Settings/Watchlists
  • Check user authorization and license.

auditqueryexample2.gif

 

Alerting on Sentinel activities

 

You may want to take this one step further and use Sentinel audit logs for proactive alerts in your environment. For example, if you have sensitive tables in your workspace that should not typically be queried, you could set up a detection to alert you to this:

 

 

LAQueryLogs
| where QueryText contains "[Name of sensitive table]"
| where TimeGenerated > ago(1d)
| extend User = AADEmail, Query = QueryText
| project User, Query

 

 

Sentinel audit activities Workbook 

 

We have created a Workbook to assist you in monitoring activities in Sentinel. Please check it out here, and if you have any improvements or have made your own version you'd like to share, please submit a PR to our GitHub repo!

 

With thanks to @Jeremy Tan @Javier Soriano, @Matt_Lowe, and @Nicholas DiCola (SECURITY JEDI) for their feedback and inputs to this article. 

 

5 Comments

Thank you @Sarah_Young for Sharing with the Community :cool:

Occasional Contributor

Good afternoon people! I need to do an audit process to identify which rules were created, changed or deleted, however, through the logs in the [AzureActivity] table, I can see only the rule id, which is not readable and identifiable.

 

Is there a way to find the name of the rule that has been modified?

Microsoft

@Luizao_f rule ID can be found on the first page in the Analytics Rule Wizard, you can correlate them that way. I know not the easiest, but it can be done!

Occasional Contributor

@Sarah_Young but how do I "access" this id at the KQL level? Because I want to correlate to display the name via KQL, in case I want to create some trigger resource in cases of these types of actions.

Microsoft

@Luizao_f there isn't a way to correlate in native tables but you could create a lookup in watchlist that matched rule ID to rule name.