The following LAQueryLogs table query lists the users who ran the most CPU-intensive queries, based on CPU used and length of query time. For example, this number will include queries that had failed to run. The following LAQueryLogs table query shows the number of queries run, where anything other than an HTTP response of 200 OK was received. The number of queries run where the response wasn't "OK" The following sections show more sample queries to run on the LAQueryLogs table when auditing activities in your SOC environment using Microsoft Sentinel. | summarize events_count=count() by bin(TimeGenerated, 1d) To use LAQueryLogs data when auditing in Microsoft Sentinel, first enable the LAQueryLogs in your Log Analytics workspace's Diagnostics settings area.įor more information, see Audit queries in Azure Monitor logs.įor example, the following query shows how many queries were run in the last week, on a per-day basis: LAQueryLogs The LAQueryLogs table isn't enabled by default in your Log Analytics workspace. We recommend waiting about 5 minutes to query the LAQueryLogs table for audit data. There may be a short delay between the time a query is run and the data is populated in the LAQueryLogs table.It does not include the queries run by scheduled analytics rules, using the Investigation Graph or in the Microsoft Sentinel Hunting page. The LAQueryLogs table only includes queries that have been run in the Logs blade of Microsoft Sentinel.What tool was used to run queries in Log Analytics, such as Microsoft Sentinel.LAQueryLogs data includes information such as: Since Log Analytics is used as Microsoft Sentinel's underlying data store, you can configure your system to collect LAQueryLogs data in your Microsoft Sentinel workspace. The LAQueryLogs table provides details about log queries run in Log Analytics. Microsoft.SecurityInsights/dataConnectorsįor more information, see Azure Activity Log event schema.
Microsoft.SecurityInsights/Cases/comments Microsoft.SecurityInsights/Cases/investigations Microsoft.SecurityInsights/alertRules/actions Microsoft.OperationalInsights/workspaces/savedSearches You can also use the Azure Activity logs to check for user authorizations and licenses.įor example, the following table lists selected operations found in Azure Activity logs with the specific resource the log data is pulled from. Microsoft Sentinel's audit logs are maintained in the Azure Activity Logs, and include the following types of information: Operation Microsoft Sentinel data included in Azure Activity logs | project TimeGenerated, Caller, OperationName | where ActivityStatusValue contains "Succeeded" The following AzureActivity table query lists all the delete operations performed in your Microsoft Sentinel workspace. | where OperationNameValue contains "SecurityInsights" The following AzureActivity table query lists all actions taken by a specific Azure AD user in the last 24 hours. Find all actions taken by a specific user in the last 24 hours The following sections provide other sample queries to use when auditing with AzureActivity table data.įor more information, see Microsoft Sentinel data included in Azure Activity logs. | project Caller, TimeGenerated, PropertiesĪdd more parameters to your query to explore the AzureActivities table further, depending on what you need to report. | where Properties contains "alertRules/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE" | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"įor example, to find out who was the last user to edit a particular analytics rule, use the following query (replacing xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx with the rule ID of the rule you want to check): AzureActivity
To filter in only data from Microsoft Sentinel, start your query with the following code: AzureActivity The AzureActivity table includes data from many services, including Microsoft Sentinel. Then, query the data using KQL, like you would any other table. You can use the AzureActivity table when auditing activity in your SOC environment with Microsoft Sentinel.Ĭonnect the Azure Activity data source to start streaming audit events into a new table in the Logs screen called AzureActivity.
Microsoft Sentinel's audit logs are maintained in the Azure Activity Logs, where the AzureActivity table includes all actions taken in your Microsoft Sentinel workspace.
In the Microsoft Sentinel Workbooks area, search for the Workspace audit workbook. In addition to the manual queries described in this article, Microsoft Sentinel provides a built-in workbook to help you audit the activities in your SOC environment.
0 kommentar(er)
