Data Connector Health - Push Notification Alerts
Published Dec 17 2020 12:57 AM 9,223 Views
Microsoft

Postbanner.PNG

This enhanced solution builds on the existing “Connector Health Workbook” described in this video. The Logic App leverages underlying KQL queries to provide you with an option to configure “Push notifications” to e-mail and/or a Microsoft Teams channel based on user defined anomaly scores as well as time since the last “Heartbeat” from Virtual Machines connected to the workspace. Below is a detailed description of how the rule and the logic app are put together. The solution is available for deployment from the official Azure Sentinel GitHub repo on this link .

 

Overview of the steps the Logic App works through

 

Appoverview.png

The Logic App is activated by a Recurrence trigger whose frequency of execution can be adjusted to your requirements

 

1-Reccurence.png

Since the Logic App is being deployed from an ARM template you will need to make connections to Azure Monitor, Office 365 and Teams before the Logic App can work in your environment. You can expect to see windows like the one below. Click “Add new” to create a connection for each of the three resources.

 2-Connections.png

 

 

The KQL query below will be added to this step in the Logic App and will execute against your workspace. You can modify the threshold values to suit your needs

let UpperThreshold = 3.0; // Upper Anomaly threshold score

let LowerThreshold = -3.0; // Lower anomaly threshold score

let TableIgnoreList = dynamic(['SecurityAlert', 'BehaviorAnalytics', 'SecurityBaseline', 'ProtectionStatus']); // select tables you want to EXCLUDE from the results

union withsource=TableName1 *

| make-series count() on TimeGenerated from ago(14d) to now() step 1d by TableName1

| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01)

| where anomalies[-1] == 1 or anomalies[-1] == -1

| extend Score = score[-1]

| where Score >= UpperThreshold or Score <= LowerThreshold

| where TableName1 !in (TableIgnoreList)

| project TableName=TableName1, ExpectedCount=round(todouble(baseline[-1]),1), ActualCount=round(todouble(count_[-1]),1), AnomalyScore = round(todouble(score[-1]),1)

 3-IngestionAnomaly.png

 

Execute query against workspace to detect potential VM connectivity issues

 

4-HeartBeatQuery.png

To adjust the lookback period for the last heartbeat received from VMs in the workspace, change the “| where LastHeartbeat < ago(5h)” line in the query above

 

Send out the results of the query to the SOC team as a summarized HTML table

 

5-SOCemail.png

 

Note that while the two queries use two query outputs named “Body” they are different and care should be taken to select the correct output. Naming the Ingestion Anomaly and the Heart Beat query steps differently will help distinguish between the two “Body” variables.

 

Send the same message to a Microsoft Teams channel monitored by the SOC team

 

6-TeamsMEssage.png

Below is a sample output of the push notification message

 

7-SampleEmail.png

 

 This solution was built in close collaboration with @Javier Soriano , @Jeremy Tan and @BenjiSec 

9 Comments
Co-Authors
Version history
Last update:
‎Nov 01 2021 04:24 PM
Updated by: