I built a read-only tool for finding SIEM detections that are silently blind. Looking for Sentinel input.
▲ 13 r/AzureSentinel+1 crossposts

I built a read-only tool for finding SIEM detections that are silently blind. Looking for Sentinel input.

I’ve been working on a small open-source tool called deadair after running into a detection engineering problem that I don’t think normal rule-health checks cover well.

Repo: https://github.com/Big-Comfy/deadair
Release: https://github.com/Big-Comfy/deadair/releases/tag/v0.3.4

Most SIEMs can tell you whether a rule ran. That’s useful, but it doesn’t always tell you whether the rule still had the data it expected when it ran. A rule can be enabled, scheduled, green in the UI, and still be effectively blind because the log source stopped shipping, the index pattern matches nothing in this environment, a parser upgrade removed a field, or a batch-fed source is arriving after the lookback window has already passed.

deadair tries to check that other half. It maps enabled detections to the telemetry they depend on, then reports dead rules, impaired rules, stale/empty sources, unused telemetry, and the blast radius of a source going quiet.

Right now it supports Elastic Security 8.x and OpenSearch Security Analytics 2.x.

I want to add Microsoft Sentinel next. To do that properly, I need access to a real Sentinel tenant or a partner willing to test with one. Docs and synthetic fixtures will not be enough because the hard parts are real-world KQL, functions, ASIM parsers, watchlists, custom tables, cross-workspace queries, and permission boundaries.

If this sounds useful, I’d appreciate feedback or a DM. Blunt “this won’t work because…” feedback is useful too.

u/Big-Comfortable-70 — 1 day ago