Share via

Detailed report on the virtual machines (VMs) interacting with Microsoft Sentinel

Chauhan, Shaileshbhai 40 Reputation points
2024-11-19T14:14:45.7466667+00:00

Detailed report on the virtual machines (VMs) interacting with Microsoft Sentinel, if I understand correctly. Here’s a suggested approach to create that report:

 

  1. Data Collection:
    • Identify Reporting VMs: Query Microsoft Sentinel to list all VMs currently reporting.
      • Identify Non-Reporting VMs: Cross-reference this list with your inventory of VMs to find those not reporting.
      1. Analysis:
        • Count Reporting vs. Non-Reporting: Calculate the total number of VMs reporting and those that are not.
          • Identify Discrepancies: Highlight any discrepancies between the expected count and the actual reporting VMs.
          1. Reporting:
            • Create a Summary: Include key metrics, such as total VMs, reporting VMs, and non-reporting VMs.
              • Visualize Data: Consider using charts or graphs to illustrate the findings clearly.

 

Need Kusto query to help identify the virtual machines (VMs) reporting to Microsoft Sentinel and those that are not:

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,172 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 6,676 Reputation points MVP
    2024-11-20T14:56:32.2833333+00:00

    Hi, you can see VMs if they are Azure or Hybrid using Azure Resource Graph (you can run the KQL for each from within Sentinel). This wont tell you if they are reported on in Sentinel or not. 

    // Azure VMs
arg('').Resources | where type == "microsoft.compute/virtualmachines"
| extend vmState = tostring(properties.extended.instanceView.powerState.displayStatus)
| extend vmState = iif(isempty(vmState), "VM State Unknown", (vmState))
| summarize count(), VMnames=array_sort_asc(make_set(name)) by vmState


// Hybrid VMs
arg('').Resources | where type == "microsoft.hybridcompute/machines"
| project MachineId=id, status = properties.status, 
			  LastSeen = properties.lastStatusChange, 
			  FQDN = properties.machineFqdn, 
			  OS = properties.osName, 
			  ServerVersion = properties.osVersion

    You can then compare those names with the VMs found in the SecurityIncident , SecurityAlert or relevant Tables

    An example using HeartBeat table

    let AzureVMlist =
arg('').Resources | where type == "microsoft.compute/virtualmachines"
| extend vmState = tostring(properties.extended.instanceView.powerState.displayStatus)
| extend vmState = iif(isempty(vmState), "VM State Unknown", (vmState))
| where vmState =="VM running"
| distinct name;
Heartbeat
| where Computer in (AzureVMlist)
| summarize  count() by Computer, Category

    Source: There are good reports on Azure resources here: https://www.cloudsma.com/2020/10/ultimate-azure-inventory-dashboard/#:~:text=With%20Compute,%20we%20get%20a%20breakdown%20of%20Azure

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.