Min Diagnostic Event Categories for Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2315337%22%20slang%3D%22en-US%22%3EMin%20Diagnostic%20Event%20Categories%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2315337%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CBR%20%2F%3E%3CBR%20%2F%3EI've%20been%20trying%20to%20find%20some%20definitive%20recommendations%20on%20what%20event%20categories%20we%20should%20send%20in%20a%20diagnostic%20setting%20to%20the%20analytics%20workspace%20that%20the%20sentinel%20will%20ingest.%26nbsp%3B%20I'm%20looking%20for%20only%20the%20categories%20that%20would%20have%20useful%20security%20information.%26nbsp%3B%20Does%20anyone%20have%20some%20suggestions%3F%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22thidalgo_0-1619976895509.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277379iB4EF199370EF9218%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22thidalgo_0-1619976895509.png%22%20alt%3D%22thidalgo_0-1619976895509.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2316323%22%20slang%3D%22en-US%22%3ERe%3A%20Min%20Diagnostic%20Event%20Categories%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2316323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1043113%22%20target%3D%22_blank%22%3E%40thidalgo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20Say%20Security%20.%20You%20can%20find%20the%20description%20for%20each%20category%20below%26nbsp%3B%3C%2FP%3E%3CP%3ERef%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%3CBR%20%2F%3E%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20width%3D%22677%22%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CP%3E%3CSTRONG%3ECategory%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23administrative-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAdministrative%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20the%20record%20of%20all%20create%2C%20update%2C%20delete%2C%20and%20action%20operations%20performed%20through%20Resource%20Manager.%20Examples%20of%20Administrative%20events%20include%26nbsp%3B%3CEM%3Ecreate%20virtual%20machine%3C%2FEM%3E%26nbsp%3Band%26nbsp%3B%3CEM%3Edelete%20network%20security%20group%3C%2FEM%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EEvery%20action%20taken%20by%20a%20user%20or%20application%20using%20Resource%20Manager%20is%20modeled%20as%20an%20operation%20on%20a%20particular%20resource%20type.%20If%20the%20operation%20type%20is%26nbsp%3B%3CEM%3EWrite%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EDelete%3C%2FEM%3E%2C%20or%26nbsp%3B%3CEM%3EAction%3C%2FEM%3E%2C%20the%20records%20of%20both%20the%20start%20and%20success%20or%20fail%20of%20that%20operation%20are%20recorded%20in%20the%20Administrative%20category.%20Administrative%20events%20also%20include%20any%20changes%20to%20Azure%20role-based%20access%20control%20in%20a%20subscription.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23service-health-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EService%20Health%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20the%20record%20of%20any%20service%20health%20incidents%20that%20have%20occurred%20in%20Azure.%20An%20example%20of%20a%20Service%20Health%20event%26nbsp%3B%3CEM%3ESQL%20Azure%20in%20East%20US%20is%20experiencing%20downtime%3C%2FEM%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EService%20Health%20events%20come%20in%20Six%20varieties%3A%26nbsp%3B%3CEM%3EAction%20Required%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EAssisted%20Recovery%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EIncident%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EMaintenance%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EInformation%3C%2FEM%3E%2C%20or%26nbsp%3B%3CEM%3ESecurity%3C%2FEM%3E.%20These%20events%20are%20only%20created%20if%20you%20have%20a%20resource%20in%20the%20subscription%20that%20would%20be%20impacted%20by%20the%20event.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23resource-health-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EResource%20Health%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20the%20record%20of%20any%20resource%20health%20events%20that%20have%20occurred%20to%20your%20Azure%20resources.%20An%20example%20of%20a%20Resource%20Health%20event%20is%26nbsp%3B%3CEM%3EVirtual%20Machine%20health%20status%20changed%20to%20unavailable%3C%2FEM%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EResource%20Health%20events%20can%20represent%20one%20of%20four%20health%20statuses%3A%26nbsp%3B%3CEM%3EAvailable%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EUnavailable%3C%2FEM%3E%2C%26nbsp%3B%3CEM%3EDegraded%3C%2FEM%3E%2C%20and%26nbsp%3B%3CEM%3EUnknown%3C%2FEM%3E.%20Additionally%2C%20Resource%20Health%20events%20can%20be%20categorized%20as%20being%26nbsp%3B%3CEM%3EPlatform%20Initiated%3C%2FEM%3E%26nbsp%3Bor%26nbsp%3B%3CEM%3EUser%20Initiated%3C%2FEM%3E.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23alert-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAlert%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20the%20record%20of%20activations%20for%20Azure%20alerts.%20An%20example%20of%20an%20Alert%20event%20is%26nbsp%3B%3CEM%3ECPU%20%25%20on%20myVM%20has%20been%20over%2080%20for%20the%20past%205%20minutes%3C%2FEM%3E.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23autoscale-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAutoscale%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20the%20record%20of%20any%20events%20related%20to%20the%20operation%20of%20the%20autoscale%20engine%20based%20on%20any%20autoscale%20settings%20you%20have%20defined%20in%20your%20subscription.%20An%20example%20of%20an%20Autoscale%20event%20is%26nbsp%3B%3CEM%3EAutoscale%20scale%20up%20action%20failed%3C%2FEM%3E.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23recommendation-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERecommendation%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20recommendation%20events%20from%20Azure%20Advisor.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23security-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESecurity%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20the%20record%20of%20any%20alerts%20generated%20by%20Azure%20Security%20Center.%20An%20example%20of%20a%20Security%20event%20is%26nbsp%3B%3CEM%3ESuspicious%20double%20extension%20file%20executed%3C%2FEM%3E.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fessentials%2Factivity-log-schema%23policy-category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPolicy%3C%2FA%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%3E%3CP%3EContains%20records%20of%20all%20effect%20action%20operations%20performed%20by%20Azure%20Policy.%20Examples%20of%20Policy%20events%20include%26nbsp%3B%3CEM%3EAudit%3C%2FEM%3E%26nbsp%3Band%26nbsp%3B%3CEM%3EDeny%3C%2FEM%3E.%20Every%20action%20taken%20by%20Policy%20is%20modeled%20as%20an%20operation%20on%20a%20resource.%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2338196%22%20slang%3D%22en-US%22%3ERe%3A%20Min%20Diagnostic%20Event%20Categories%20for%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2338196%22%20slang%3D%22en-US%22%3EThanks%20for%20that.%20And%20that%20table%20is%20what%20had%20me%20thinking%2C%20administrative%20events%20like%20create%2C%20update%2C%20delete%20operations...wouldn't%20that%20be%20interesting%20information%20to%20correlate%20with%20security%20events%20if%20sentinel%20allows%20this%20kind%20of%20correlation.%3C%2FLINGO-BODY%3E
New Contributor

Hello

I've been trying to find some definitive recommendations on what event categories we should send in a diagnostic setting to the analytics workspace that the sentinel will ingest.  I'm looking for only the categories that would have useful security information.  Does anyone have some suggestions?  

thidalgo_0-1619976895509.png

 

3 Replies

@thidalgo 

I would Say Security . You can find the description for each category below 

Ref : https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema

 

Category

Description

Administrative

Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is WriteDelete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to Azure role-based access control in a subscription.

Service Health

Contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime.

Service Health events come in Six varieties: Action RequiredAssisted RecoveryIncidentMaintenanceInformation, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event.

Resource Health

Contains the record of any resource health events that have occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable.

Resource Health events can represent one of four health statuses: AvailableUnavailableDegraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.

Alert

Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.

Autoscale

Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed.

Recommendation

Contains recommendation events from Azure Advisor.

Security

Contains the record of any alerts generated by Azure Security Center. An example of a Security event is Suspicious double extension file executed.

Policy

Contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.

Thanks for that. And that table is what had me thinking, administrative events like create, update, delete operations...wouldn't that be interesting information to correlate with security events if sentinel allows this kind of correlation.
Hi
In any case if you are using adavanced threat protection + analytics abnormal operations ( delete many files in a short time ) will be detected as security issues . If you build a good RBAC strategy leveraging least privilege and custom roles if needed you may have less false positives when adding administrative operations so yes that make sense.