How to Monitor New Management Group Creation and Deletion.
I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step. By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings" Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant. { "properties": { "workspaceId": "<< replace with workspace resource ID>>", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Policy", "enabled": true } ] } } Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs. //KQL Query to Identify if Management group is deleted AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) //KQL Query to Identify if Management group is Created AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) This log can also be used to monitor the new subscription creation as well, using the below query AzureActivity | where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId) If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert. Note: Enabling this API on the Mangement group diagnostic logs will also be inherited by the subscriptions downstream on the specific category.
Query for App Service and outbound IP Query
Right now I need help writing a Query that shows this: AzureDiagnostics | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog" clientIp, backendHostname This query isn't working. I have a server that is using SSH and the logs there show stuff but I have a Front Door Globally and I need to see the logs there also. What is the best method.
Azure Firewall Logs Kusto Query
Dear Member, In Azure firewall i have configured the rule block, now i want to check the traffic it is supposed to deny and does it still allow the other traffic. can someone please help with the Kusto Query on this if the rule block is allowing traffic or deny . appreciate for help in this
Tables in Sentinel and Schemas in MS365
Just wondering if there is any common data between Sentinel and MS365? I can easily get file certificate information from schemas in MS365 but it is hardly to find the information from any tables when work in sentinel. But sometimes I use same query will get same result. Could someone kindly share some ideas on that part? Or do you have any idea where can we find file certificate information in Sentinel? That will help me a lot, thanks so much!
Working with watchlists and ipv4_is_in_any_range() to exclude results from query
Hello! I am struggling with using watchlists as a blacklist. This is my query: let list = _GetWatchlist('blacklistedSegments') | summarize make_list(segment); SigninLogs | where ipv4_is_in_any_range(IPAddress, list); //throws an error This is my Watchlist named "blacklistedSegments" - one column named "segment": segment 1.2.0.0/16 3.4.0.0/16 I am trying to create a query in which sign-in logs from black listed IPs are returned. The problem is that I get the following error : This is probably because make_list() returns an array while the ipv4 method expects a value. Can anyone suggest the correct KQL way of achieving the above? Any suggestion will be highly appreciated! Thanks in advance. BenAzure Sentinel getting account from AAD group query
Hello everyone, Im in the process of setting up a automatic watchlist update for sentinel. Where whenever a AAD User is added to a specific AAD group, the given users data will be put into a sentinel watchlist. (Like in picture 1) pic1 The way I have set it up at the moment is that the alert rule triggers on whenever a user is added to the given AAD group it pulls the log file. That's all well and good but the log file that is pulled, mainly inlcludes data regarding the AAD group and tenant ID of the entire AAD I have tried out different mapping option inside sentinel to pull the right entity/account. But I always get the same "Tenant ID" which I can't find anywhere in our AAD. I have set up a logic app/playbook where it should recive the Account from the query but im not sure how to pull the account from the log file. My main issue has been these AAD groups, they seem to mess with the logfile compared to when you only target the AAD account (or multiple accounts) Has anyone worked with this before or done something similar. All help and tips are greatly appriciated!Azure Sentinel false positive incidents due to duplicate logs in SigninLogs
Hello, I've been searching for a way to fix this for the last 2 weeks but I couldn't find anything that works. We have recently deployed Azure Sentinel, and we're getting frequent false positive incidents. While investigating that, I've noticed that in the SigninLogs table, some entries are duplicated, and this triggers some rules, for example rules related to "Multiple failed authentication" or "Multiple password reset attempts". I've checked the duplicated rows and they have the exact same values in all columns, so not exactly sure how to proceed from here. I'd like to get rid of the duplicates first, instead of having to apply a workaround to all the Analytics rules we have in place. I'd also like to mention that the rules we have enabled are the built-in ones provided by Microsoft. One example would be the one below. Any ideas on how to proceed from here? Thank you!OMS DNS Analytics solution - no data
Hello - I am trying to get DNS logs into Log Analytics and into Sentinel. The Documentation here (https://docs.microsoft.com/en-us/azure/sentinel/connect-dns), says simply install OMS and check the DnsEvent table, i did, nothing's there.. PS. It's been many days, and nothing is there. Although the documentation does not specify, but does DNS diagnostic logging need to be enabled for this to work? And if so, does that mean a custom log and data collection need to be configured for \path\to\dns.log? Side Note: I have packetbeat installed successfully capturing DNS logs without DNS Diagnostic Logging enabled.
