Audit Microsoft Sentinel queries and activities
This article describes how you can view audit data for queries run and activities performed in your Microsoft Sentinel workspace, such as for internal and external compliance requirements in your Security Operations (SOC) workspace.
Microsoft Sentinel provides access to:
The AzureActivity table, which provides details about all actions taken in Microsoft Sentinel, such as editing alert rules. The AzureActivity table doesn't log specific query data. For more information, see Auditing with Azure Activity logs.
The LAQueryLogs table, which provides details about the queries run in Log Analytics, including queries run from Microsoft Sentinel. For more information, see Auditing with LAQueryLogs.
Tip
In addition to the manual queries described in this article, we recommend that you use the built-in Workspace audit workbook help you audit the activities in your SOC environment. For more information, see Visualize and monitor your data by using workbooks in Microsoft Sentinel.
Prerequisites
Before you can successfully run the sample queries in this article, you need to have relevant data in your Microsoft Sentinel workspace to query on and access to Microsoft Sentinel.
For more information, see Configure Microsoft Sentinel content and Roles and permissions in Microsoft Sentinel.
Auditing with Azure Activity logs
Microsoft Sentinel's audit logs are maintained in the Azure Activity Logs, where the AzureActivity table includes all actions taken in your Microsoft Sentinel workspace.
Use the AzureActivity table when auditing activity in your SOC environment with Microsoft Sentinel.
To query the AzureActivity table:
Install the Azure Activity solution for Sentinel solution and connect the Azure Activity data connector to start streaming audit events into a new table called
AzureActivity
.Query the data using Kusto Query Language (KQL), like you would any other table:
- In the Azure portal, query this table in the Logs page.
- In Microsoft's unified security operations platform, query this table in the Investigation & response > Hunting > Advanced hunting page.
The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:
AzureActivity | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"
For example, to find out who was the last user to edit a particular analytics rule, use the following query (replacing
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
with the rule ID of the rule you want to check):AzureActivity | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE" | where Properties contains "alertRules/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | project Caller , TimeGenerated , Properties
Add more parameters to your query to explore the AzureActivities table further, depending on what you need to report. The following sections provide other sample queries to use when auditing with AzureActivity table data.
For more information, see Microsoft Sentinel data included in Azure Activity logs.
Find all actions taken by a specific user in the last 24 hours
The following AzureActivity table query lists all actions taken by a specific Microsoft Entra user in the last 24 hours.
AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where Caller == "[AzureAD username]"
| where TimeGenerated > ago(1d)
Find all delete operations
The following AzureActivity table query lists all the delete operations performed in your Microsoft Sentinel workspace.
AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where OperationName contains "Delete"
| where ActivityStatusValue contains "Succeeded"
| project TimeGenerated, Caller, OperationName
Microsoft Sentinel data included in Azure Activity logs
Microsoft Sentinel's audit logs are maintained in the Azure Activity Logs, and include the following types of information:
Operation | Information types |
---|---|
Created | Alert rules Case comments Incident comments Saved searches Watchlists Workbooks |
Deleted | Alert rules Bookmarks Data connectors Incidents Saved searches Settings Threat intelligence reports Watchlists Workbooks Workflow |
Updated | Alert rules Bookmarks Cases Data connectors Incidents Incident comments Threat intelligence reports Workbooks Workflow |
You can also use the Azure Activity logs to check for user authorizations and licenses. For example, the following table lists selected operations found in Azure Activity logs with the specific resource the log data is pulled from.
Operation name | Resource type |
---|---|
Create or update workbook | Microsoft.Insights/workbooks |
Delete workbook | Microsoft.Insights/workbooks |
Set workflow | Microsoft.Logic/workflows |
Delete workflow | Microsoft.Logic/workflows |
Create saved search | Microsoft.OperationalInsights/workspaces/savedSearches |
Delete saved search | Microsoft.OperationalInsights/workspaces/savedSearches |
Update alert rules | Microsoft.SecurityInsights/alertRules |
Delete alert rules | Microsoft.SecurityInsights/alertRules |
Update alert rule response actions | Microsoft.SecurityInsights/alertRules/actions |
Delete alert rule response actions | Microsoft.SecurityInsights/alertRules/actions |
Update bookmarks | Microsoft.SecurityInsights/bookmarks |
Delete bookmarks | Microsoft.SecurityInsights/bookmarks |
Update cases | Microsoft.SecurityInsights/Cases |
Update case investigation | Microsoft.SecurityInsights/Cases/investigations |
Create case comments | Microsoft.SecurityInsights/Cases/comments |
Update data connectors | Microsoft.SecurityInsights/dataConnectors |
Delete data connectors | Microsoft.SecurityInsights/dataConnectors |
Update settings | Microsoft.SecurityInsights/settings |
For more information, see Azure Activity Log event schema.
Auditing with LAQueryLogs
The LAQueryLogs table provides details about log queries run in Log Analytics. Since Log Analytics is used as Microsoft Sentinel's underlying data store, you can configure your system to collect LAQueryLogs data in your Microsoft Sentinel workspace.
LAQueryLogs data includes information such as:
- When queries were run
- Who ran queries in Log Analytics
- What tool was used to run queries in Log Analytics, such as Microsoft Sentinel
- The query texts themselves
- Performance data on each query run
Note
The LAQueryLogs table only includes queries that have been run in the Logs blade of Microsoft Sentinel. It does not include the queries run by scheduled analytics rules, using the Investigation Graph, in the Microsoft Sentinel Hunting page, or in the Defender portal's Advanced hunting page.
There may be a short delay between the time a query is run and the data is populated in the LAQueryLogs table. We recommend waiting about 5 minutes to query the LAQueryLogs table for audit data.
To query the LAQueryLogs table:
The LAQueryLogs table isn't enabled by default in your Log Analytics workspace. To use LAQueryLogs data when auditing in Microsoft Sentinel, first enable the LAQueryLogs in your Log Analytics workspace's Diagnostics settings area.
For more information, see Audit queries in Azure Monitor logs.
Then, query the data using KQL, like you would any other table.
For example, the following query shows how many queries were run in the last week, on a per-day basis:
LAQueryLogs | where TimeGenerated > ago(7d) | summarize events_count=count() by bin(TimeGenerated, 1d)
The following sections show more sample queries to run on the LAQueryLogs table when auditing activities in your SOC environment using Microsoft Sentinel.
The number of queries run where the response wasn't "OK"
The following LAQueryLogs table query shows the number of queries run, where anything other than an HTTP response of 200 OK was received. For example, this number includes queries that had failed to run.
LAQueryLogs
| where ResponseCode != 200
| count
Show users for CPU-intensive queries
The following LAQueryLogs table query lists the users who ran the most CPU-intensive queries, based on CPU used and length of query time.
LAQueryLogs
|summarize arg_max(StatsCPUTimeMs, *) by AADClientId
| extend User = AADEmail, QueryRunTime = StatsCPUTimeMs
| project User, QueryRunTime, QueryText
| sort by QueryRunTime desc
Show users who ran the most queries in the past week
The following LAQueryLogs table query lists the users who ran the most queries in the last week.
LAQueryLogs
| where TimeGenerated > ago(7d)
| summarize events_count=count() by AADEmail
| extend UserPrincipalName = AADEmail, Queries = events_count
| join kind= leftouter (
SigninLogs)
on UserPrincipalName
| project UserDisplayName, UserPrincipalName, Queries
| summarize arg_max(Queries, *) by UserPrincipalName
| sort by Queries desc
Configuring alerts for Microsoft Sentinel activities
You might want to use Microsoft Sentinel auditing resources to create proactive alerts.
For example, if you have sensitive tables in your Microsoft Sentinel workspace, use the following query to notify you each time those tables are queried:
LAQueryLogs
| where QueryText contains "[Name of sensitive table]"
| where TimeGenerated > ago(1d)
| extend User = AADEmail, Query = QueryText
| project User, Query
Monitor Microsoft Sentinel with workbooks, rules, and playbooks
Use Microsoft Sentinel's own features to monitor events and actions that occur within Microsoft Sentinel.
Monitor with workbooks. Several built-in Microsoft Sentinel workbooks can help you monitor workspace activity, including information about the users working in your workspace, the analytics rules being used, the MITRE tactics most covered, stalled or stopped ingestions, and SOC team performance.
For more information, see Visualize and monitor your data by using workbooks in Microsoft Sentinel and Commonly used Microsoft Sentinel workbooks
Watch for ingestion delay. If you have concerns about ingestion delay, set a variable in an analytics rule to represent the delay.
For example, the following analytics rule can help to ensure that results don't include duplicates, and that logs aren't missed when running the rules:
let ingestion_delay= 2min;let rule_look_back = 5min;CommonSecurityLog| where TimeGenerated >= ago(ingestion_delay + rule_look_back)| where ingestion_time() > (rule_look_back) - Calculating ingestion delay CommonSecurityLog| extend delay = ingestion_time() - TimeGenerated| summarize percentiles(delay,95,99) by DeviceVendor, DeviceProduct
For more information, see Automate incident handling in Microsoft Sentinel with automation rules.
Monitor data connector health using the Connector Health Push Notification Solution playbook to watch for stalled or stopped ingestion, and send notifications when a connector has stopped collecting data or machines have stopped reporting.
See more information on the following items used in the preceding examples, in the Kusto documentation:
- let statement
- where operator
- project operator
- count operator
- sort operator
- extend operator
- join operator
- summarize operator
- ago() function
- ingestion_time() function
- count() aggregation function
- arg_max() aggregation function
For more information on KQL, see Kusto Query Language (KQL) overview.
Other resources:
Next step
In Microsoft Sentinel, use the Workspace audit workbook to audit the activities in your SOC environment. For more information, see Visualize and monitor your data.