Sentinel data Connector Health Status -email notification

%3CLINGO-SUB%20id%3D%22lingo-sub-2403543%22%20slang%3D%22en-US%22%3ESentinel%20data%20Connector%20Health%20Status%20-email%20notification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2403543%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20guys%2C%3C%2FP%3E%3CP%3EI%20have%20created%20a%20playbook%20for%20monitoring%20sentinel%20data%20connectors%20health%20and%20an%20email%20notification%20is%20setup%20if%20there%20is%20no%20logs%20received%20for%20any%20connector%20in%20last%2048%20hrs%20.%20It%20is%20fully%20functional%20and%20I%20able%20to%20fetch%20last%20event%20time%20and%20data%20type%20associated%20with%20connectors.%20Below%20snap%20show%20the%20data%20I%20am%20populating%20over%20the%20email%20in%20tabular%20format.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22cyberHardik_0-1622547528930.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F285272i59613356E2350CE8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22cyberHardik_0-1622547528930.png%22%20alt%3D%22cyberHardik_0-1622547528930.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20query%20based%20playbook%20and%26nbsp%3B%20it%20is%20worth%20mentioning%20the%20query%20here%20which%20I%20am%20using%20to%20populate%20the%20data%20through%20logic%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunion%20withsource%3DTableName1%20*%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(2d)%3CBR%20%2F%3E%7C%20project%20TimeGenerated%2C%20TableName1%2C%20DeviceVendor%2CProviderName%3CBR%20%2F%3E%7C%20summarize%20last_log%20%3D%20datetime_diff(%22second%22%2C%20now()%2C%20max(TimeGenerated))%2Clast_event_received%20%3D%20max(TimeGenerated)%20by%20TableName1%2C%20DeviceVendor%2CProviderName%3CBR%20%2F%3E%7C%20project%20%5B'Table%20Name'%5D%20%3D%20TableName1%2C%20%5B'Latest%20Record%20Created'%5D%20%3D%20last_log%2C%20%5B'Time'%5D%20%3D%20last_event_received%2C%20DeviceVendor%2C%20ProviderName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BBut%2C%20when%20I%20am%20trying%20to%20populate%20list%20of%20all%20the%20datatypes%2Fdatasets%20.%20It%20is%20not%20getting%20populated%20as%20it%20is%20time%20frame%20dependent.%20So%2C%20I%20am%20unable%20to%20know%20which%20datatype%20is%20missing%20if%20there%20is%20no%20logs%20generated%20in%20that%20particular%20time%20frame.%20Moreover%2C%20if%20someone%20don't%20know%20how%20many%20datatypes%20have%20been%20integrated%20then%20its%20very%20difficult%20to%20know%20which%20data%20type%20is%20not%20receiving%20logs%20as%20multiple%20device%20logs%20can%20be%20configured%20under%20common%20security%20logs%20or%20syslog%20datatypes%20.%3C%2FP%3E%3CP%3EI%20am%20facing%20these%20two%20issues%20%3A%3C%2FP%3E%3CP%3E1.%20%3CFONT%20color%3D%22%23FF0000%22%3EPlease%20help%20me%20how%20I%20can%20populate%20all%20the%20datatype%20irrespective%20of%20time%20frame%20using%20KQL.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E2.%20%3CFONT%20color%3D%22%23FF0000%22%3EAlso%2C%20%26nbsp%3B%20I%20want%20to%20populate%20the%20data%20connector%20name%20associated%20with%20datatype%20but%20I%26nbsp%3B%20was%20not%20lucky%20enough%20to%20create%20a%20KQL%20query%26nbsp%3B%20for%20that%20as%20I%20don't%20know%20how%20connector%20name%20is%20mapped%20with%20data%20types.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BAny%20help%20or%20suggestion%26nbsp%3B%20to%20fix%20above%20issues%20will%20be%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey guys,

I have created a playbook for monitoring sentinel data connectors health and an email notification is setup if there is no logs received for any connector in last 48 hrs . It is fully functional and I able to fetch last event time and data type associated with connectors. Below snap show the data I am populating over the email in tabular format.

 

cyberHardik_0-1622547528930.png

 

I am using query based playbook and  it is worth mentioning the query here which I am using to populate the data through logic app.

 

union withsource=TableName1 *
| where TimeGenerated > ago(2d)
| project TimeGenerated, TableName1, DeviceVendor,ProviderName
| summarize last_log = datetime_diff("second", now(), max(TimeGenerated)),last_event_received = max(TimeGenerated) by TableName1, DeviceVendor,ProviderName
| project ['Table Name'] = TableName1, ['Latest Record Created'] = last_log, ['Time'] = last_event_received, DeviceVendor, ProviderName

 

 But, when I am trying to populate list of all the datatypes/datasets . It is not getting populated as it is time frame dependent. So, I am unable to know which datatype is missing if there is no logs generated in that particular time frame. Moreover, if someone don't know how many datatypes have been integrated then its very difficult to know which data type is not receiving logs as multiple device logs can be configured under common security logs or syslog datatypes .

I am facing these two issues :

1. Please help me how I can populate all the datatype irrespective of time frame using KQL.

2. Also,   I want to populate the data connector name associated with datatype but I  was not lucky enough to create a KQL query  for that as I don't know how connector name is mapped with data types.

 

 Any help or suggestion  to fix above issues will be appreciated.

0 Replies