KQL Search

Query Details

HomeAI ToolsDevice Query

Monitor For Analytics Editing In Microsoft Sentinel

Query

# Monitor for analytics editing in Microsoft Sentinel

# Description

The following query takes into advantage the SentinelAudit table and will allow you to monitor any editing of Analytics rules within Microsoft Sentinel.

### Microsoft Sentinel
```
SentinelAudit
| where Status == @"Success"
| where Description == @"Create or update analytics rule." or Description == @"Analytics rule deleted"
| extend User = parse_json(ExtendedProperties)["CallerName"]
| project TimeGenerated, SentinelResourceName, Description, User
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 30/06/2025    | Initial publish                        |

Explanation

This query is designed to monitor changes to analytics rules in Microsoft Sentinel. It specifically looks for successful events where analytics rules are either created, updated, or deleted. Here's a breakdown of what the query does:

  1. Data Source: It uses the SentinelAudit table, which logs activities related to Microsoft Sentinel.

  2. Filter by Status: It filters the records to only include those with a status of "Success," ensuring that only successful operations are considered.

  3. Filter by Description: It further narrows down the records to those where the description indicates either the creation, update, or deletion of an analytics rule.

  4. Extract User Information: The query extracts the user who performed the action by parsing the ExtendedProperties field to get the "CallerName."

  5. Select Relevant Information: Finally, it projects (selects) the following columns for the output:

    • TimeGenerated: The time when the event occurred.
    • SentinelResourceName: The name of the Sentinel resource involved.
    • Description: A description of the action (create, update, or delete).
    • User: The user who performed the action.

This query helps administrators keep track of changes to analytics rules, providing insights into who made changes and when they occurred.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: June 30, 2025

Tables

SentinelAudit

Keywords

SentinelAuditAnalyticsRulesMicrosoftSentinel

Operators

SentinelAuditwhere==orextendparse_jsonproject

Actions