Sentinel data Connector Health Status -email notification

%3CLINGO-SUB%20id%3D%22lingo-sub-2402071%22%20slang%3D%22en-US%22%3ESentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2402071%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20guys%2C%3C%2FP%3E%3CP%3EI%20have%20created%26nbsp%3B%20a%20playbook%26nbsp%3B%20for%20monitoring%20sentinel%20data%20connectors%20health%20and%20an%20email%20notification%20is%20setup%20if%26nbsp%3B%20there%20is%20no%20logs%20received%26nbsp%3B%20for%20any%20connector%20in%20last%2048%20hrs%20.%20It%20is%20fully%20functional%20and%20I%20able%20to%20fetch%20last%20event%20time%20and%26nbsp%3B%20data%20type%20associated%20with%20connectors.%20Below%20snap%20show%20the%20data%20I%20am%20populating%20over%20the%20email%20in%20tabular%20format.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22cyberHardik_0-1622493988587.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285175iCE79466957CF41EE%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22cyberHardik_0-1622493988587.png%22%20alt%3D%22cyberHardik_0-1622493988587.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3BI%20am%20using%20query%20based%20playbook%20and%26nbsp%3B%20it%20is%20worth%20mentioning%20the%20query%20here%20which%20I%20am%20using%20to%20populate%20the%20data%20through%20logic%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunion%20withsource%3DTableName1%20*%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(2d)%3CBR%20%2F%3E%7C%20project%20TimeGenerated%2C%20TableName1%2C%20DeviceVendor%2CProviderName%3CBR%20%2F%3E%7C%20summarize%20last_log%20%3D%20datetime_diff(%22second%22%2C%20now()%2C%20max(TimeGenerated))%2Clast_event_received%20%3D%20max(TimeGenerated)%20by%20TableName1%2C%20DeviceVendor%2CProviderName%3CBR%20%2F%3E%7C%20project%20%5B'Table%20Name'%5D%20%3D%20TableName1%2C%20%5B'Latest%20Record%20Created'%5D%20%3D%20last_log%2C%20%5B'Time'%5D%20%3D%20last_event_received%2C%20DeviceVendor%2C%20ProviderName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BBut%2C%20when%20I%20am%20trying%20to%20populate%20list%20of%20all%20the%20datatypes%2Fdatasets%20.%20It%20is%20not%20getting%20populated%20as%20it%20is%20time%20frame%20dependent.%20So%2C%20I%20am%20unable%20to%20know%20which%20datatype%20is%20missing%20if%20there%20is%20no%20logs%20generated%20in%20that%20particular%20time%20frame.%20Moreover%2C%20if%20someone%20don't%20know%20how%20many%20datatypes%20have%20been%20integrated%20then%20its%20very%20difficult%20to%20know%20which%20data%20type%20is%20not%20receiving%20logs%20as%20multiple%20device%20logs%20can%20be%20configured%20under%20common%20security%20logs%20or%20syslog%20datatypes%20.%3C%2FP%3E%3CP%3EI%20am%20facing%20these%20two%20issues%20%3A%3C%2FP%3E%3CP%3E1.%20%3CFONT%20color%3D%22%23FF0000%22%3EPlease%20help%20me%20how%20I%20can%20populate%20all%20the%20datatype%20irrespective%20of%20time%20frame%20using%20KQL.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E2.%20%3CFONT%20color%3D%22%23FF0000%22%3EAlso%2C%20%26nbsp%3B%20I%20want%20to%20populate%20the%20data%20connector%20name%20associated%20with%20datatype%20but%20I%26nbsp%3B%20was%20not%20lucky%20enough%20to%20create%20a%20KQL%20query%26nbsp%3B%20for%20that%20as%20I%20don't%20know%20how%20connector%20name%20is%20mapped%20with%20data%20types.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BAny%20help%20or%20suggestion%26nbsp%3B%20to%20fix%20above%20issues%20will%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2403090%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2403090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F979374%22%20target%3D%22_blank%22%3E%40cyberHardik%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello!%3C%2FP%3E%3CP%3EI%20have%20a%20request%20to%20explain%20why%20you%20put%20in%20this%20group%20this%20query!%3C%2FP%3E%3CP%3EDo%20you%20think%20this%20is%20a%20general%20discussion%20about%20all%20Microsoft%20products%3F%3C%2FP%3E%3CP%3EPlease%20reply!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2403576%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2403576%22%20slang%3D%22en-US%22%3EHi%20Andrzejx%2C%3CBR%20%2F%3EI%20am%20newbie%20on%20tech%20community%20and%20I%20do%20understand%20it%20not%20a%20general%20discussion.%20It%20should%20on%20azure%20sentinel%20discussion%20platform.%20I%20request%20you%20to%20please%20guide%20me%20how%20I%20can%20delete%20this%20from%20here%20or%20move%20this%20post%20to%20azure%20sentinel%20discussion%20panel.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2403892%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2403892%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F979374%22%20target%3D%22_blank%22%3E%40cyberHardik%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20there%20is%20no%20need%20to%20remove%20this%20topic!%3C%2FP%3E%3CP%3EJust%20in%20the%20right%20group%2C%20you'll%20get%20an%20answer%20faster!%3C%2FP%3E%3CP%3EOnly%20moderator%20can%20move%20this%20post!%3C%2FP%3E%3CP%3EDo%20you%20think%20we%20should%20change%20the%20name%20here%20eg.%26nbsp%3B%20%22MTC%20Community%20Policy%22%3C%2FP%3E%3CP%3EVery%20often%20there%20are%20posts%20about%20Microsoft%20products%20and%20I'm%20curious%20what%20causes%20it%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fintroducing-azure-sentinel-solutions%2Fba-p%2F2347312%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fintroducing-azure-sentinel-solutions%2Fba-p%2F2347312%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2423522%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2423522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F979374%22%20target%3D%22_blank%22%3E%40cyberHardik%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20question!%20This%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Ftech-community-discussion%2Fbd-p%2FCommunityQuestions%22%20target%3D%22_self%22%3ETech%20Community%20Discussion%20space%3C%2FA%3E%20is%20intended%20for%20questions%20and%20discussions%20specifically%20around%20the%20Tech%20Community%20website%20itself.%20I've%20moved%20your%20question%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbd-p%2FAzureSentinel%22%20target%3D%22_self%22%3EAzure%20Sentinel%20discussion%20space%3C%2FA%3E%20-%20please%20ask%20questions%20about%20Azure%20Sentinel%20there%20in%20the%20future.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2425717%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2425717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F979374%22%20target%3D%22_blank%22%3E%40cyberHardik%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20compare%20Syslog%20and%20CEF%2C%20you%20could%20join%20the%20past%202days%20with%20the%20previous%2014days%20and%20compare%20them%2C%20this%20is%20an%20example%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Eunion%20Syslog%2C%20CommonSecurityLog%0A%7C%20where%20TimeGenerated%20between%20(startofday(ago(14d))%20..%20endofday(ago(3d)))%0A%7C%20summarize%20dcount(DeviceVendor)%2C%20make_set(DeviceVendor)%20by%20Type%0A%7C%20join%20(%0A%20%20%20%20union%20Syslog%2C%20CommonSecurityLog%0A%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(2d)%0A%20%20%20%20%7C%20project%20TimeGenerated%2C%20Type%2C%20DeviceVendor%0A%20%20%20%20%7C%20summarize%20Twodays%3Ddcount(DeviceVendor)%2C%20make_set(DeviceVendor)%20by%20Type%0A)%20on%20%24left.Type%20%3D%3D%20%24right.Type%0A%7C%20project-rename%20TwoWeeks%20%3D%20dcount_DeviceVendor%0A%7C%20extend%20weHaveLess%20%3D%20iif(Twodays%20%26lt%3B%20TwoWeeks%2C'We%20have%20less%20Vendors%20than%20before'%2C'')%20%0A%7C%20project-away%20Type1%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EMaybe%20in%20your%20reporting%20(run%20a%20new%20query%20in%20the%20Playbook)%20to%20show%2C%20the%20Sources%20connected%20over%2014days%20and%20which%20are%20outside%20of%20the%20SLA.%26nbsp%3B%20The%20%3CSTRONG%3EUsage%3C%2FSTRONG%3E%20table%20(whilst%20having%20less%20data)%20is%20very%20fast%20as%20its%20aggregated%20already.%26nbsp%3B%20Again%20and%20example%20you%20can%20build%20on%2C%20I%20switched%20to%20hours%20and%20only%20sources%20over%2012hrs%20with%20no%20data%2C%20there%20is%20an%20SLA%20column%20to%20show%20those%20over%2048hrs%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%20%20%20%20Usage%0A%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(14d))%0A%20%20%20%20%7C%20summarize%20last_log%20%3D%20datetime_diff(%22hour%22%2C%20now()%2C%20max(TimeGenerated))%2Clast_event_received%20%3D%20max(TimeGenerated)%20by%20TableName%3DDataType%20%2C%20Solution%0A%20%20%20%20%7C%20extend%20slaUnder2Days%20%3D%20iff(last_log%20%26lt%3B%3D48%2C%22OK%22%2C%22SLA%20not%20ok%22)%0A%20%20%20%20%7C%20where%20last_log%20%26gt%3B%2012%0A%20%20%20%20%7C%20order%20by%20last_log%20desc%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2427484%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2427484%22%20slang%3D%22en-US%22%3EThe%20MTC%20Community%20is%20great%20and%20helpful!%3CBR%20%2F%3EThank%20you%20very%20much%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2437911%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2437911%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%2C%3CBR%20%2F%3EThank%20you%20for%20response%20and%20please%20allow%20me%20some%20time%20so%20that%20I%20can%20test%20and%20see%20whether%20its%20meet%20our%20client%20expectation%20or%20not.%20Moreover%20%2C%20i%20would%20like%20to%20know%20is%20there%20any%20way%20to%20populate%20connector%20name%20corresponding%20to%20data%20type%3F%3CBR%20%2F%3E%3CBR%20%2F%3Ewaiting%20for%20your%20reply.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2437930%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2437930%22%20slang%3D%22en-US%22%3EI%20forget%20to%20mention%20that%20status%20of%20datatype%20also%20need%20to%20be%20fetched.%20whether%20they%20are%20connected%20or%20not%20.%20So%20I%20would%20fetch%20status%20of%20the%20datatype%20in%20tabular%20form.%20Please%20guide%20me%20as%20I%20am%20new%20to%20information%20security%20and%20less%20knowledge%20about%20KQL%20although%20I%20am%20enriching%20my%20knowledge%20day%20by%20day.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey guys,

I have created  a playbook  for monitoring sentinel data connectors health and an email notification is setup if  there is no logs received  for any connector in last 48 hrs . It is fully functional and I able to fetch last event time and  data type associated with connectors. Below snap show the data I am populating over the email in tabular format.

 

cyberHardik_0-1622493988587.png

 I am using query based playbook and  it is worth mentioning the query here which I am using to populate the data through logic app.

 

union withsource=TableName1 *
| where TimeGenerated > ago(2d)
| project TimeGenerated, TableName1, DeviceVendor,ProviderName
| summarize last_log = datetime_diff("second", now(), max(TimeGenerated)),last_event_received = max(TimeGenerated) by TableName1, DeviceVendor,ProviderName
| project ['Table Name'] = TableName1, ['Latest Record Created'] = last_log, ['Time'] = last_event_received, DeviceVendor, ProviderName

 

 But, when I am trying to populate list of all the datatypes/datasets . It is not getting populated as it is time frame dependent. So, I am unable to know which datatype is missing if there is no logs generated in that particular time frame. Moreover, if someone don't know how many datatypes have been integrated then its very difficult to know which data type is not receiving logs as multiple device logs can be configured under common security logs or syslog datatypes .

I am facing these two issues :

1. Please help me how I can populate all the datatype irrespective of time frame using KQL.

2. Also,   I want to populate the data connector name associated with datatype but I  was not lucky enough to create a KQL query  for that as I don't know how connector name is mapped with data types.

 

 Any help or suggestion  to fix above issues will be appreciated.

 

 

 

 

15 Replies

@cyberHardik 

Hello!

I have a request to explain why you put in this group this query!

Do you think this is a general discussion about all Microsoft products?

Please reply!

Hi Andrzejx,
I am newbie on tech community and I do understand it is not a general discussion. It should be on azure sentinel discussion platform. I request you to please guide me how I can delete this from here or move this post to azure sentinel discussion panel.

@cyberHardik 

I think there is no need to remove this topic!

Just in the right group, you'll get an answer faster!

Only moderator can move this post!

Do you think we should change the name here eg.  "MTC Community Policy"

Very often there are posts about Microsoft products and I'm curious what causes it?

https://techcommunity.microsoft.com/t5/azure-sentinel/introducing-azure-sentinel-solutions/ba-p/2347...

@cyberHardik Thanks for your question! This Tech Community Discussion space is intended for questions and discussions specifically around the Tech Community website itself. I've moved your question to the Azure Sentinel discussion space - please ask questions about Azure Sentinel there in the future. 

@cyberHardik

To compare Syslog and CEF, you could join the past 2days with the previous 14days and compare them, this is an example

union Syslog, CommonSecurityLog
| where TimeGenerated between (startofday(ago(14d)) .. endofday(ago(3d)))
| summarize dcount(DeviceVendor), make_set(DeviceVendor) by Type
| join (
    union Syslog, CommonSecurityLog
    | where TimeGenerated > ago(2d)
    | project TimeGenerated, Type, DeviceVendor
    | summarize Twodays=dcount(DeviceVendor), make_set(DeviceVendor) by Type
) on $left.Type == $right.Type
| project-rename TwoWeeks = dcount_DeviceVendor
| extend weHaveLess = iif(Twodays < TwoWeeks,'We have less Vendors than before','') 
| project-away Type1

Maybe in your reporting (run a new query in the Playbook) to show, the Sources connected over 14days and which are outside of the SLA.  The Usage table (whilst having less data) is very fast as its aggregated already.  Again and example you can build on, I switched to hours and only sources over 12hrs with no data, there is an SLA column to show those over 48hrs  

    Usage
    | where TimeGenerated > startofday(ago(14d))
    | summarize last_log = datetime_diff("hour", now(), max(TimeGenerated)),last_event_received = max(TimeGenerated) by TableName=DataType , Solution
    | extend slaUnder2Days = iff(last_log <=48,"OK","SLA not ok")
    | where last_log > 12
    | order by last_log desc


 

The MTC Community is great and helpful!
Thank you very much
@Clive Watson,
Thank you for response and please allow me some time so that I can test and see whether its meet our client expectation or not. Moreover , i would like to know is there any way to populate connector name corresponding to data type?

waiting for your reply.
I forget to mention that status of datatype also need to be fetched. whether they are connected or not . So I would fetch status of the datatype in tabular form. Please guide me as I am new to information security and less knowledge about KQL although I am enriching my knowledge day by day.
Not currently but this is being looked at. For now you have the Solution name.
Not currently, for now, you could use a IIF to create you own status column, much like this example

| extend status_= iff(last_log <=48,"Connected","Not Connected, or no data sent in time period")

@Clive Watson 

Thankx alot for such a swift reply, I did tried to fetch 2 days logs and added solution name column but It is not getting populated against all data types. below is the sniff for better understanding :

 

cyberHardik_0-1623408006087.png

is Solution name currently available for some data types only as I am inhabiting all data types ?

 

Moreover , extending new status column suffice my requirement.

The Usage Table is designed for questions like this, I suspect you are using "union *" and it wont guarantee in the query that each type/row maps to a solution, hence the missing solution field.

Usage
| summarize make_set(DataType), dcount(DataType) by Solution
You got me@Clive Watson
Absolutely bang on Genius!
Yups, I am using Union *. Thanx alot for your help , All sorted now except one thing as logs are pulled over a given time frame so if there is no logs in that time frame then Data Type will be not present in the projected table and all the hardwork will go in vain. what do you suggest in that case ?
@Clive Watson
I am still waiting for your response
You can Join the returned result with the Usage Table, the new last line would be something like. It would be helpful to share your query (DM me if necessary).

| join (Usage | distinct Solution, DataType) on $left.Type == $right.DataType