Something customers check when they turn on a new data connector on Sentinel is what detections are available for their new logs. There are several ways to see this. For instance, you can go to Analytics > Templates and filter by data source.
You can also go to the new Content hub and filter by provider and content type (e.g. analytics):
However, what if you wanted to see exactly what analytics or hunting queries you have in place for each of your tables?
@NChristis and I have created a workbook intended to help you with this analysis: the Log sources & Analytic rules coverage workbook. Let’s have a look at it.
First, select the desired subscription and workspace. Also, select a time range. It will be used to query which tables have had ingestion activity over the selected period. Note there is a Show help toggle as well.
Select one of the tables above to see information about analytics, hunting queries, bookmarks, saved searches and even queries run against it. Right below, select the tab you would like to view. We will start with Analytics.
The first section is a graph which shows how many analytic rules (detections) are enabled and disabled, also by severity:
Then, you can see specifically the analytics you have in the workspace for the selected table, and which ones are enabled and disabled. You can click on the View query link to see the exact query, as well as additional information, such as query frequency and period, or MITRE tactics.
If the selected table is SecurityEvent, additionally you will find a section for event IDs. Please read the disclaimer before consuming this data:
- This table finds events listed in EventID == and EventID in ()
- It will will only match on the first condition it and will not look for further matches. This means that SecurityEvent | where EventID == 1453 or EventID == 1698 will only match on the first event.
- It will show the event even if your condition is excluding the event (e.g. not( not ( where eventId== 1234)))
- If the event is not specified because it is part of a range, the event will not be matched (e.g. event 4625 will not be found if your query is checking for EventID between (4624 .. 4627))
We have also included a search box, so that you can type the exact event ID, but please read the disclaimer, as it may not show all the relevant information. For instance, similarly as described above, if your event ID is part of a range, it will not be found (e.g. event 4625 will not be found if your query is checking for EventID between (4624 .. 4627)).
Next, you will see templates available for the selected table. Please note that this section does not show you information about which of the templates have been used to create analytics rules.
Again here, if the table you selected is SecurityEvent, you will also see the Event ID section previously described.
All what you saw so far, was about analytics rules (detections), but there are other elements that are relevant, namely saved searches (which includes Microsoft Sentinel hunting queries), bookmarks that your SOC has saved and searches performed. These are important aspects to keep in mind when you want to decide whether a log source is important or not: while you may not have analytics running on top of your tables, your SOC may be querying them for hunting, finding further evidence related to an event, or forensics.
Next is the Saved searches and hunting queries tab.
The first section contains details about all saved searches that reference the selected table. Remember that hunting queries are a type of saved search, you will be able to distinguish them by looking at the Category column:
Right below, you will see bookmarks and whether they are related to an incident:
We have also included a section with bookmarked events that reference the selected table.
Finally, in the Searches and queries tab you will see how many queries were performed against your table, and the origin of those queries, which could be Microsoft Sentinel, logic apps, the Logs UI, App Insights (Azure Monitor) or other:
We hope you find it valuable. Stay tuned, as we will soon incorporate additional elements to the workbook. Is there anything else you would like to see in it? Please leave your feedback in the comments.
