Query Details

Sentinel Health Sentinel Failure

Query

let alert_name = "Sentinel health";
let _ExpectedAlertNames = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "SentinelHealthAlert"
    | summarize make_list(Auxiliar)
);
SentinelHealth
| extend
    Issues = ExtendedProperties["Issues"],
    FailureSummary = ExtendedProperties["FailureSummary"],
    IncidentNumber = ExtendedProperties["IncidentNumber"]
| mv-expand Issue = iff(array_length(Issues) > 0, Issues, dynamic([""])), Failure = iff(array_length(FailureSummary) > 0, FailureSummary, dynamic([""]))
| where not(Status == "Success" and isempty(Issue) and isempty(FailureSummary))
| extend
    IssueCode = tostring(Issue["Code"]),
    StatusCode = tostring(Failure["StatusCode"]),
    Auxiliar = iff(SentinelResourceType == "Analytics Rule", SentinelResourceName, tostring(bin(TimeGenerated, 1h)))
| extend AlertName = case(
    SentinelResourceType == "Analytics Rule" and Status == "Warning" and Reason == "The analytics rule is disabled and was not executed.", "Analytics rule was auto disabled",
    SentinelResourceType == "Analytics Rule" and isnotempty(IssueCode), strcat(alert_name, " - ", SentinelResourceType, " - ", Status, " - ", IssueCode),
    SentinelResourceType == "Data connector", strcat(alert_name, " - ", SentinelResourceType, " - ", Status, " - ", SentinelResourceName),
    SentinelResourceType == "Automation rule", strcat(alert_name, " - ", SentinelResourceType, " - ", Status, " - Incident Number ", IncidentNumber),
    strcat(alert_name, " - ", SentinelResourceType, " - ", Status)
    )
| where not(AlertName in (_ExpectedAlertNames))
| project
    TimeGenerated,
    AlertName,
    SentinelResourceType,
    SentinelResourceKind,
    SentinelResourceName,
    OperationName,
    Status,
    Reason,
    Description,
    Issues,
    FailureSummary,
    ExtendedProperties,
    SentinelResourceId,
    Auxiliar

Explanation

This query is designed to analyze and filter health alerts related to Microsoft Sentinel, a security information and event management (SIEM) system. Here's a simplified breakdown of what the query does:

  1. Define Variables:

    • alert_name: Sets a base name for alerts as "Sentinel health".
    • _ExpectedAlertNames: Retrieves a list of expected alert names from a watchlist called "Activity-ExpectedSignificantActivity" where the activity is "SentinelHealthAlert".
  2. Process Sentinel Health Data:

    • The SentinelHealth table is queried, and several properties are extracted and expanded:
      • Issues, FailureSummary, and IncidentNumber are extracted from ExtendedProperties.
      • Issue and Failure are expanded into separate rows if they contain multiple entries.
  3. Filter Out Successful Entries:

    • The query filters out entries where the status is "Success" and there are no issues or failure summaries.
  4. Create Alert Names:

    • Constructs a detailed AlertName based on the type of Sentinel resource and its status, using different rules for "Analytics Rule", "Data connector", and "Automation rule".
    • Special cases are handled, such as when an analytics rule is disabled.
  5. Exclude Expected Alerts:

    • Filters out alerts that are in the list of expected alert names (_ExpectedAlertNames).
  6. Select and Display Relevant Data:

    • Projects (selects) specific columns to display, such as TimeGenerated, AlertName, SentinelResourceType, and other relevant details.

In summary, this query identifies and displays unexpected health alerts in Microsoft Sentinel by filtering out successful operations and expected alerts, and then formatting the alert names for clarity.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 4, 2024

Tables

_GetWatchlistSentinelHealth

Keywords

SentinelHealthAlertIssuesFailureSummaryIncidentNumberAnalyticsRuleDataConnectorAutomationStatusReasonDescriptionExtendedPropertiesOperationNameResourceTypeKindIdTimeGeneratedActivityExpectedSignificant

Operators

lettoscalar_GetWatchlistwheresummarizemake_listextendmv-expandiffarray_lengthdynamicisemptytostringbincaseisnotemptystrcatinproject

Actions

GitHub