Merge pull request #224096 from yelevin/yelevin/analytics-health-and-audit

Analytics rule health and audit

Author: v-dirichards

articles/sentinel/TOC.yml

@@ -69,7 +69,7 @@
         href: partner-integrations.md
       - name: Basic Logs
         href: basic-logs-use-cases.md
-      - name: Health monitoring 
+      - name: Auditing and health monitoring 
         href: health-audit.md    
     - name: Architecture
       items:
@@ -450,12 +450,14 @@
       href: manage-soc-with-incident-metrics.md
     - name: Monitor Microsoft Sentinel health
       items:
-      - name: Enable health monitoring
+      - name: Enable auditing and health monitoring
         href: enable-monitoring.md
       - name: Monitor data connector health
         href: monitor-data-connector-health.md
       - name: Monitor automation rules and playbooks health
         href: monitor-automation-health.md
+      - name: Audit and monitor the health of analytics rules
+        href: monitor-analytics-rule-integrity.md
       - name: Monitor SAP system health and role
         href: monitor-sap-system-health.md 
     - name: Auditing Microsoft Sentinel with Azure Activity Logs
@@ -537,6 +539,8 @@
       href: /powershell/module/az.securityinsights/
     - name: SentinelHealth table reference 
       href: health-table-reference.md
+    - name: SentinelAudit table reference 
+      href: audit-table-reference.md
     - name: Azure RBAC roles
       items:
       - name: All Azure roles

articles/sentinel/audit-table-reference.md

@@ -0,0 +1,80 @@
+---
+title: Microsoft Sentinel audit tables reference
+description: Learn about the fields in the SentinelAudit tables, used for audit monitoring and analysis.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: reference
+ms.date: 01/17/2023
+ms.service: microsoft-sentinel
+---
+
+# Microsoft Sentinel audit tables reference
+
+This article describes the fields in the SentinelAudit tables, which are used for auditing user activity in Microsoft Sentinel resources. With the Microsoft Sentinel audit feature, you can keep tabs on the actions taken in your SIEM and get information on any changes made to your environment and the users that made those changes. 
+
+Learn how to [query and use the audit table](monitor-analytics-rule-integrity.md) for deeper monitoring and visibility of actions in your environment.
+
+> [!IMPORTANT]
+>
+> The *SentinelAudit* data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+Microsoft Sentinel's audit feature currently covers only the analytics rule resource type, though other types may be added later. Many of the data fields in the following tables will apply across resource types, but some have specific applications for each type. The descriptions below will indicate one way or the other.
+
+## SentinelAudit table columns schema
+
+The following table describes the columns and data generated in the SentinelAudit data table:
+
+| ColumnName               | ColumnType     | Description                                                    |
+| ------------------------ | -------------- | -------------------------------------------------------------- |
+| **TenantId**             | String         | The tenant ID for your Microsoft Sentinel workspace.           |
+| **TimeGenerated**        | Datetime       | The time (UTC) at which the audit event occurred.              |
+| <a name="operationname_audit"></a>**OperationName** | String   | The Azure operation being recorded. For example:<br>- `Microsoft.SecurityInsights/alertRules/Write`<br>- `Microsoft.SecurityInsights/alertRules/Delete` |
+| <a name="sentinelresourceid_audit"></a>**SentinelResourceId** | String         | The unique identifier of the Microsoft Sentinel workspace and the associated resource on which the audit event occurred. |
+| **SentinelResourceName** | String         | The resource name. For analytics rules, this is the rule name. |
+| <a name="status_audit"></a>**Status**     | String         | Indicates `Success` or `Failure` for the [OperationName](#operationname_audit). |
+| **Description**          | String         | Describes the operation, including extended data as needed. For example, for failures, this column might indicate the failure reason. |
+| **WorkspaceId**          | String         | The workspace GUID on which the audit issue occurred. The full Azure Resource Identifier is available in the [SentinelResourceID](#sentinelresourceid_audit) column. |
+| **SentinelResourceType** | String         | The Microsoft Sentinel resource type being monitored.          |
+| **SentinelResourceKind** | String         | The specific type of resource being monitored. For example, for analytics rules: `NRT`. |
+| **CorrelationId**        | String         | The event correlation ID in GUID format.                       |
+| **ExtendedProperties**   | Dynamic (json) | A JSON bag that varies by the [OperationName](#operationname_audit) value and the [Status](#status_audit) of the event.<br>See [Extended properties](#extended-properties) for details. |
+| **Type** | String | `SentinelAudit` |
+
+## Operation names for different resource types
+
+| Resource types       | Operation names | Statuses |
+| -------------------- | --------------- | -------- |
+| **[Analytics rules](monitor-analytics-rule-integrity.md)** | - `Microsoft.SecurityInsights/alertRules/Write`<br>- `Microsoft.SecurityInsights/alertRules/Delete` | Success<br>Failure |
+
+## Extended properties
+
+### Analytics rules
+
+Extended properties for analytics rules reflect certain [rule settings](detect-threats-custom.md).
+
+| ColumnName               | ColumnType     | Description                                                     |
+| ------------------------ | -------------- | --------------------------------------------------------------- |
+| **CallerIpAddress**      | String         | The IP address from which the action was initiated.             |
+| **CallerName**           | String         | The user or application that initiated the action.              |
+| **OriginalResourceState** | Dynamic (json) | A JSON bag that describes the rule before the change.          |
+| **Reason**               | String     | The reason why the operation failed. For example: `No permissions`. |
+| **ResourceDiffMemberNames** | Array\[String\] | An array of the properties that changed on the relevant resource. For example: `['custom_details','look_back']`. |
+| **ResourceDisplayName**  | String         | Name of the analytics rule on which the audit issue occurred.   |
+| **ResourceGroupName**    | String      | Resource group of the workspace on which the audit issue occurred. |
+| **ResourceId**      | String     | The resource ID of the analytics rule on which the audit issue occurred. |
+| **SubscriptionId**  | String      | The subscription ID of the workspace on which the audit issue occurred. |
+| **UpdatedResourceState** | Dynamic (json) | A JSON bag that describes the rule after the change.            |
+| **Uri**                  | String         | The full-path resource ID of the analytics rule.                |
+| **WorkspaceId**        | String       | The resource ID of the workspace on which the audit issue occurred. |
+| **WorkspaceName**        | String         | The name of the workspace on which the audit issue occurred.    |
+
+
+## Next steps
+
+- Learn about [auditing and health monitoring in Microsoft Sentinel](health-audit.md).
+- [Turn on auditing and health monitoring](enable-monitoring.md) in Microsoft Sentinel.
+- [Monitor the health of your automation rules and playbooks](monitor-automation-health.md).
+- [Monitor the health of your data connectors](monitor-data-connector-health.md).
+- [Monitor the health and integrity of your analytics rules](monitor-analytics-rule-integrity.md).
+- [SentinelHealth tables reference](health-table-reference.md)

articles/sentinel/enable-monitoring.md

@@ -1,71 +1,87 @@
 ---
-title: Turn on health monitoring in Microsoft Sentinel
+title: Turn on auditing and health monitoring in Microsoft Sentinel
 description: Monitor supported data connectors by using the SentinelHealth data table.
-ms.topic: how-to
-ms.date: 11/07/2022
 author: limwainstein
 ms.author: lwainstein
-ms.service: microsoft-sentinel
+ms.topic: how-to
+ms.date: 01/19/2023
 ---
 
-# Turn on health monitoring for Microsoft Sentinel (preview)
+# Turn on auditing and health monitoring for Microsoft Sentinel (preview)
+
+Monitor the health and audit the integrity of supported Microsoft Sentinel resources by turning on the auditing and health monitoring feature in Microsoft Sentinel's **Settings** page. Get insights on health drifts, such as the latest failure events or changes from success to failure states, and on unauthorized actions, and use this information to create notifications and other automated actions.
 
-Monitor the health of supported Microsoft Sentinel resources by turning on the health monitoring feature in Microsoft Sentinel's **Settings** page. Get insights on health drifts, such as the latest failure events or changes from success to failure states, and use this information to create notifications and other automated actions.
+To get health data from the *SentinelHealth* data table, or to get auditing information from the *SentinelAudit* data table, you must first turn on the Microsoft Sentinel auditing and health monitoring feature for your workspace.
 
-To get health data from the *SentinelHealth* data table, you must first turn on the Microsoft Sentinel health feature for your workspace.
+This article instructs you how to turn on these features.
 
-When the health feature is turned on, the *SentinelHealth* data table is created at the first success or failure event generated for supported resource types.
+When the feature is turned on, the *SentinelHealth* and *SentinelAudit* data tables are created at the first event generated for the selected resources.
 
-The following resource types are currently supported:
+The following resource types are currently supported for health monitoring:
+- Analytics rules (New!)
 - Data connectors
 - Automation rules
 - Playbooks (Azure Logic Apps workflows)
     > [!NOTE]
     > When monitoring playbook health, you'll also need to collect Azure Logic Apps diagnostic events from your playbooks in order to get the full picture of your playbook activity. See [**Monitor the health of your automation rules and playbooks**](monitor-automation-health.md) for more information.
 
-To configure the retention time for your health events, see [Configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).
+Only the analytics rule resource type is currently supported for auditing.
+
+
+To configure the retention time for your audit and health events, see [Configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).
 
 > [!IMPORTANT]
 >
-> The *SentinelHealth* data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The *SentinelHealth* and *SentinelAudit* data tables are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 >
 
-## Turn on health monitoring for your workspace
+## Turn on auditing and health monitoring for your workspace
 
 1. In Microsoft Sentinel, under the **Configuration** menu on the left, select **Settings**.
 
 1. Select **Settings** from the banner.
 
-1. Scroll down to the **Health monitoring** section that appears below, and select it to expand.
+1. Scroll down to the **Auditing and health monitoring** section that appears below, and select it to expand.
 
-1. Select **Configure Diagnostic Settings**.
+1. Select **Enable** to enable auditing and health monitoring across all resource types and to send the auditing and monitoring data to your Microsoft Sentinel workspace (and nowhere else). 
+
+    Or, select the **Configure diagnostic settings** link to enable health monitoring only for the data collector and/or automation resources, or to configure advanced options, like additional places to send the data.
 
     :::image type="content" source="media/enable-monitoring/enable-health-monitoring.png" alt-text="Screenshot shows how to get to the health monitoring settings.":::
 
-1. In the **Diagnostic settings** screen, select **+ Add diagnostic setting**.
+    If you selected **Enable**, then the button will gray out and change to read **Enabling...** and then **Enabled**. At that point, auditing and health monitoring is enabled, and you're done! The appropriate diagnostic settings were added behind the scenes, and you can view and edit them by selecting the **Configure diagnostic settings** link.
+
+1. If you selected **Configure diagnostic settings**, then in the **Diagnostic settings** screen, select **+ Add diagnostic setting**.
+
+    (If you're editing an existing setting, select it from the list of diagnostic settings.)
 
     - In the **Diagnostic setting name** field, enter a meaningful name for your setting.
 
-    - In the **Logs** column, select the appropriate **Categories** for the resource types you want to monitor, for example **Data Collection - Connectors**.
+    - In the **Logs** column, select the appropriate **Categories** for the resource types you want to monitor, for example **Data Collection - Connectors**. Select **allLogs** if you want to monitor analytics rules.
 
     - Under **Destination details**, select **Send to Log Analytics workspace**, and select your **Subscription** and **Log Analytics workspace** from the dropdown menus.
 
+        :::image type="content" source="media/enable-monitoring/diagnostic-settings.png" alt-text="Screenshot of diagnostic settings screen for enabling auditing and health monitoring.":::
+
+        If you require, you may select other destinations to which to send your data, in addition to the Log Analytics workspace.
+
 1. Select **Save** on the top banner to save your new setting.
 
-The *SentinelHealth* data table is created at the first success or failure event generated for the selected resources.
+The *SentinelHealth* and *SentinelAudit* data tables are created at the first event generated for the selected resources.
 
-## Access the *SentinelHealth* table
+## Verify that the tables are receiving data
 
 In the Microsoft Sentinel **Logs** page, run a query on the  *SentinelHealth* table. For example:
 
 ```kusto
-SentinelHealth
+_SentinelHealth()
  | take 20
 ```
 
 ## Next steps
 
-- Learn what [health monitoring in Microsoft Sentinel](health-audit.md) can do for you.
-- [Monitor the health of your Microsoft Sentinel data connectors](monitor-data-connector-health.md).
-- [Monitor the health of your Microsoft Sentinel automation rules](monitor-automation-health.md).
-- See more information about the [*SentinelHealth* table schema](health-table-reference.md).
+- Learn about [auditing and health monitoring in Microsoft Sentinel](health-audit.md).
+- [Monitor the health of your automation rules and playbooks](monitor-automation-health.md).
+- [Monitor the health of your data connectors](monitor-data-connector-health.md).
+- [Monitor the health and integrity of your analytics rules](monitor-analytics-rule-integrity.md).
+- See more information about the [*SentinelHealth*](health-table-reference.md) and [*SentinelAudit*](audit-table-reference.md) table schemas.