Query Details
Sentinel Workspace Disconnected
Query
# Sentinel Workspace Disconnected ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1562.008 | Impair Defenses: Disable or Modify Cloud Logs | https://attack.mitre.org/techniques/T1562/008/ | ### Description This query returns results if Sentinel workspaces have been removed from Unified XDR. These activities should be monitored to make sure that sentinel environments are not by mistakenly or purposely removed from your XDR environment. ### References - https://kqlquery.com/posts/audit-defender-xdr/ - https://learn.microsoft.com/en-us/unified-secops/microsoft-sentinel-onboard ## Defender XDR ```KQL CloudAppEvents | where ActionType == "SentinelDisconnectWorkspace" | extend WorkspaceId = tostring(RawEventData.WorkspaceId), Status = tostring(RawEventData.Status), SubscriptionId = tostring(RawEventData.SubscriptionId), ResourceGroup = tostring(RawEventData.ResourceGroup), WorkspaceType = tostring(RawEventData.WorkspaceType) | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId | project-reorder Timestamp, InitiatedByAccountName, InitiatedByAccounttId, IPAddress, WorkspaceType, Status, WorkspaceId, ResourceGroup, SubscriptionId ``` ## Sentinel ```KQL CloudAppEvents | where ActionType == "SentinelDisconnectWorkspace" | extend WorkspaceId = tostring(RawEventData.WorkspaceId), Status = tostring(RawEventData.Status), SubscriptionId = tostring(RawEventData.SubscriptionId), ResourceGroup = tostring(RawEventData.ResourceGroup), WorkspaceType = tostring(RawEventData.WorkspaceType) | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId | project-reorder TimeGenerated, InitiatedByAccountName, InitiatedByAccounttId, IPAddress, WorkspaceType, Status, WorkspaceId, ResourceGroup, SubscriptionId ```
Explanation
This query is designed to monitor and identify when Sentinel workspaces are disconnected from a Unified XDR (Extended Detection and Response) environment. The purpose is to ensure that these disconnections are not happening accidentally or maliciously, as they could impair the security defenses by disabling or modifying cloud logs, which is a technique identified by MITRE ATT&CK as T1562.008. Here's a simplified breakdown of what the query does:
-
Data Source: It looks at events from
CloudAppEventswhere the action type is "SentinelDisconnectWorkspace". This indicates that a Sentinel workspace has been disconnected. -
Data Extraction: It extracts several pieces of information from these events, including:
WorkspaceId: The ID of the disconnected workspace.Status: The status of the disconnection event.SubscriptionId: The subscription ID associated with the workspace.ResourceGroup: The resource group of the workspace.WorkspaceType: The type of workspace.
-
Data Renaming and Reordering:
- It renames some fields for clarity, such as changing
AccountDisplayNametoInitiatedByAccountNameandAccountIdtoInitiatedByAccounttId. - It then reorders the columns to prioritize important information like the timestamp, account details, IP address, and workspace details.
- It renames some fields for clarity, such as changing
The query is essentially a tool for security monitoring, helping to ensure that any disconnection of Sentinel workspaces is intentional and authorized, thereby maintaining the integrity of the security environment.
Details
Bert-Jan Pals
Released: August 18, 2025
Tables
Keywords
Operators