Forum Discussion

cyberHardik's avatar
cyberHardik
Copper Contributor
May 31, 2021

Sentinel data Connector Health Status -email notification

Hey guys, I have created  a playbook  for monitoring sentinel data connectors health and an email notification is setup if  there is no logs received  for any connector in last 48 hrs . It is fully ...
  • CliveWatson's avatar
    CliveWatson
    Icon for Microsoft rankMicrosoft
    Jun 08, 2021

    cyberHardik

    To compare Syslog and CEF, you could join the past 2days with the previous 14days and compare them, this is an example

    union Syslog, CommonSecurityLog
| where TimeGenerated between (startofday(ago(14d)) .. endofday(ago(3d)))
| summarize dcount(DeviceVendor), make_set(DeviceVendor) by Type
| join (
    union Syslog, CommonSecurityLog
    | where TimeGenerated > ago(2d)
    | project TimeGenerated, Type, DeviceVendor
    | summarize Twodays=dcount(DeviceVendor), make_set(DeviceVendor) by Type
) on $left.Type == $right.Type
| project-rename TwoWeeks = dcount_DeviceVendor
| extend weHaveLess = iif(Twodays < TwoWeeks,'We have less Vendors than before','') 
| project-away Type1

    Maybe in your reporting (run a new query in the Playbook) to show, the Sources connected over 14days and which are outside of the SLA.  The Usage table (whilst having less data) is very fast as its aggregated already.  Again and example you can build on, I switched to hours and only sources over 12hrs with no data, there is an SLA column to show those over 48hrs  

        Usage
    | where TimeGenerated > startofday(ago(14d))
    | summarize last_log = datetime_diff("hour", now(), max(TimeGenerated)),last_event_received = max(TimeGenerated) by TableName=DataType , Solution
    | extend slaUnder2Days = iff(last_log <=48,"OK","SLA not ok")
    | where last_log > 12
    | order by last_log desc


     

    • Deleted's avatar
      Deleted
      Jun 08, 2021
      The MTC Community is great and helpful!
      Thank you very much
    • cyberHardik's avatar
      cyberHardik
      Copper Contributor
      Jun 11, 2021
      CliveWatson,
      Thank you for response and please allow me some time so that I can test and see whether its meet our client expectation or not. Moreover , i would like to know is there any way to populate connector name corresponding to data type?

      waiting for your reply.
      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft
        Jun 11, 2021
        Not currently but this is being looked at. For now you have the Solution name.
    • cyberHardik's avatar
      cyberHardik
      Copper Contributor
      Jun 11, 2021
      I forget to mention that status of datatype also need to be fetched. whether they are connected or not . So I would fetch status of the datatype in tabular form. Please guide me as I am new to information security and less knowledge about KQL although I am enriching my knowledge day by day.
      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft
        Jun 11, 2021
        Not currently, for now, you could use a IIF to create you own status column, much like this example

        | extend status_= iff(last_log <=48,"Connected","Not Connected, or no data sent in time period")

Resources