Introduction to Microsoft Sentinel

Accessing ingested data

After connecting with the data sources that you need, you can start validating the connection flow to ensure the data is being saved in the workspace. To perform this validation, you have two options:

  • You can open the connector’s page and click the Next Steps tab. There, you will find some sample queries that you can use.

  • You can also access the workspace directly from Microsoft Sentinel and perform some free queries using Kusto Query Language (KQL).

A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model designed to make the syntax easy to read, author, and automate. The query uses schema entities that are organized in a hierarchy similar to SQL’s databases, tables, and columns. You will learn more about this language in Appendix A, “Introduction to Kusto Query Language.”

Follow these steps to access the workspace from Azure Sentinel and perform the validation for Azure Activity Log, which was the first data source that you connected in this chapter:

  1. In the Microsoft Sentinel dashboard, click Logs in the left navigation pane under the General section.

  2. If this is the first time you are accessing this option, the Welcome To Log Analytics page appears. Close this welcome page and close the sample queries page.

  3. On the Logs page, type AzureActivity and click the Run button. You should see all activities that were performed and collected in the last 24 hours (which is the default timeframe). The result should look similar to Figure 2-15.

    FIGURE 2.15

    FIGURE 2.15 Last 24 hours of activities

As you can see, the logs are flowing, and you can obtain all results with a single query. However, in a real scenario, you want to narrow the results. An easy way to learn KQL while performing queries is to leverage the context-sensitive IntelliSense capability. To do that, write the query, and IntelliSense will open a dropdown menu showing the available options, as shown in Figure 2-16.

FIGURE 2.16

FIGURE 2.16 IntelliSense suggestions

To narrow the search to look only for activities that are related to the operation, you can use OperationName. For example, if you are trying to identify who deleted a VM, you can type the query below and click Run.

AzureActivity
| where OperationName contains “Create or Update Virtual Machine”

The results will be narrowed to show only activities that contain the specified string, which will make it easier to investigate. A sample result is shown in Figure 2-17.

FIGURE 2.17

FIGURE 2.17 Customizing your query

To validate the other data sources that were ingested in this chapter, you can use the following sample queries:

  • Azure Active Directory

    • Query: SigninLogs

      • (Use this query to visualize all Azure AD sign-in logs.)

    • Query: AuditLogs

      • (Use this query to visualize all Azure AD audit logs.)

  • Microsoft Defender for Cloud

    • Query: SecurityAlert | where AlertName contains “suspicious”

      • (This query will list all alerts generated by Defender for Cloud where the alert name contains the keyword “suspicious”.)

As you validate each connector, make sure to continue to explore other queries to obtain more precise information. While the goal of this chapter is not to dive into details about queries, you will need to continue expanding your KQL skills to use later in this book.