KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 14 Sentinel Config Changes

Query

// Hunt     : Hunt - Sentinel Configuration Changes (Rules, Connectors, Workbooks) (30 Days)
// Tactics  : DefenseEvasion
// MITRE    : T1562
// Purpose  : Full timeline of Sentinel configuration changes: alert rule deletions/modifications, data connector changes, automation rule changes, and workbook modifications. Use to investigate Rule-16 alerts and to audit who modified Sentinel configuration during an incident response window.
//==========================================================================================

let SentinelOps = dynamic([
    "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/DELETE",
    "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE",
    "MICROSOFT.SECURITYINSIGHTS/DATACONNECTORS/WRITE",
    "MICROSOFT.SECURITYINSIGHTS/DATACONNECTORS/DELETE",
    "MICROSOFT.SECURITYINSIGHTS/AUTOMATIONRULES/WRITE",
    "MICROSOFT.SECURITYINSIGHTS/AUTOMATIONRULES/DELETE",
    "MICROSOFT.SECURITYINSIGHTS/SETTINGS/WRITE",
    "MICROSOFT.SECURITYINSIGHTS/WORKSPACEMANAGERCONFIGURATIONS/WRITE",
    "MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/SAVEDEARCHES/DELETE"
]);
AzureActivity
| where TimeGenerated > ago(30d)
| where OperationNameValue has_any (SentinelOps)
| where ActivityStatusValue =~ "Success"
| extend ChangeCategory = case(
    OperationNameValue has "ALERTRULES"        , "Analytics Rule",
    OperationNameValue has "DATACONNECTORS"    , "Data Connector",
    OperationNameValue has "AUTOMATIONRULES"   , "Automation Rule",
    OperationNameValue has "SETTINGS"          , "Sentinel Settings",
    OperationNameValue has "SAVEDEARCHES"      , "Saved Search / Hunting Query",
    "Other")
| extend ActionType = iff(OperationNameValue has "DELETE", "Delete", "Create/Modify")
| project
    TimeGenerated,
    Caller,
    CallerIpAddress,
    ChangeCategory,
    ActionType,
    OperationNameValue,
    ResourceId,
    ResourceGroup,
    SubscriptionId
| order by TimeGenerated desc

Explanation

This query is designed to track and analyze changes made to Microsoft Sentinel configurations over the past 30 days. It focuses on identifying successful operations related to alert rules, data connectors, automation rules, settings, and saved searches. Here's a simple breakdown of what the query does:

  1. Define Operations: It specifies a list of operations related to Sentinel configurations, such as creating, modifying, or deleting alert rules, data connectors, automation rules, and settings.

  2. Filter Activities: It filters the Azure Activity logs to include only those entries from the last 30 days where the operation name matches any of the specified Sentinel operations and the activity status is "Success".

  3. Categorize Changes: It categorizes each operation into a change category (e.g., Analytics Rule, Data Connector) and determines the action type (either "Delete" or "Create/Modify").

  4. Select and Order Data: It selects relevant information such as the time of the change, who made the change, their IP address, the type of change, and details about the resource affected. The results are then ordered by the time the change occurred, from most recent to oldest.

This query is useful for investigating alerts related to configuration changes and auditing who modified Sentinel settings during a specific incident response period.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

SentinelConfigurationChangesAzureActivityAnalyticsRuleDataConnectorAutomationRuleSentinelSettingsSavedSearchHuntingQuery

Operators

letdynamichas_any=~casehasiffprojectorder bydesc

Actions