Microsoft Azure Sentinel 101: Using Logic Apps to build dynamic automated email reports for Log/Event Source Ingesting and Endpoint Monitoring

One of the things we must learn to do if we don’t do it already, is monitor and maintain our SIEM deployments and ensure that we are getting all the required information in and not losing one event.

One aspect Sentinel does not do a great job in is event source monitoring or ESM. There are many different ways to work around this(stay tuned and subscribe for the videos and blog posts). In this article we will touch on one way of how to do that while learning how to use Logic Apps for reporting.

One of the nice parts of Sentinel is how the Data Connectors have graphs that show log ingestion but we don’t want to have to login and view that everyday, so one thing we can do is duplicate that and make it automatic and ship to us daily as show below.

One part to keep in mind is that the Computer field can sometimes get random endpoints ingested. This happens as shown below when a Nessus scan is used. Depending on your setup, you can filter this out.

If you are curious how to get there, see the below picture. We won’t need to visit every single DC but we will need just one of the queries.

NOTE: If you would like to deploy this instantly, visit the GitHub and click the deploy button.

The next step is we need to do is go the Logic App section and build out a logic app.

If you don’t have a quick link to it, you can type at the top to find it.

Set the RG and change the Logic App to consumption. This is the cheaper way especially for testing. If you run an app that takes a long time and gets costly, you may want to look into the other way of running the app for cost control.

The goal is to create a fully self managed Logic App that will loop and create graphs for each data table that we have.

CHALLENGE: If you would like to try and do this yourself, go for it! If you want a cheat, scroll down the the overview layout. Otherwise, keep scrolling to learn and understand how it all works.

So the first step is to set the reoccurrence and then run the query. From there we create our master template string which we will keep writing string data to and then attach it as HTML to the email and send it out.

The next step is to run that query from the the DCs but first we want to do it for the Total Event Count to see how many events we have coming in from all the sources together.

We also want to print a graph for that information, however, you have to do some fancy JSON parsing to get that data. We take the results and pipe them into a JSON we created, which will take all the output from the query and separate it into variable with the JSON parser. After this we can take the variable we want, base64 data, and add it into the HTML section to display this graph.

Now comes the fun part. We need to find a way to do all our DCs without manually entering their name. For this we take the loop method and attach the value from the distinct tables from our first query. From there we use the same templates as before but now we use the results and information being looped in the array.

Now the last section, we want to do the same, but we want to look for EndPoints not being seen.

NOTE: Keep in mind this works best when the Agent is deployed. Mileage will vary if other log source ingestions are used and you will have to adapt depending. Be sure to follow for more topics on this area.

What we want to do is look through all the Data Tables for the field Computer and then do a lookback and compare. If we have the value in the past, lets see if it still exists in the here and now. If not, lets print it out with the last time it was seen.

Finally, we can close out our HTML template and send the email.

We do a few fancy things such as use time methods to add current and previous dates to the titles. If you also wanted, you could attach this as an HTML file or send to a 3rd party($) and create and attach a PDF document.

— -

☕ Like what you read? Did it help you?

Send some coffee and love https://buymeacoffee.com/truvis :)
Your support helps pay for licenses, research & development, and other costs that allow me to bring you new guides and content!

❗If you are new to my content, be sure to follow/connect with me on all my other socials for new ideas and solutions to complicated real world problems and jump start your career! New content drops daily/weekly along with tips and tricks :)

👉 W: https://truv.is
👉 T: https://twitter.com/thattechkitten
👉 Y: https://www.youtube.com/@TRUValueInformationSecurity
👉 G: https://github.com/truvis
👉 L: https://www.linkedin.com/in/truvisthornton
👉 M: https://medium.com/@truvis.thornton