r/AzureSentinel

I built a read-only tool for finding SIEM detections that are silently blind. Looking for Sentinel input.
▲ 13 r/AzureSentinel+1 crossposts

I built a read-only tool for finding SIEM detections that are silently blind. Looking for Sentinel input.

I’ve been working on a small open-source tool called deadair after running into a detection engineering problem that I don’t think normal rule-health checks cover well.

Repo: https://github.com/Big-Comfy/deadair
Release: https://github.com/Big-Comfy/deadair/releases/tag/v0.3.4

Most SIEMs can tell you whether a rule ran. That’s useful, but it doesn’t always tell you whether the rule still had the data it expected when it ran. A rule can be enabled, scheduled, green in the UI, and still be effectively blind because the log source stopped shipping, the index pattern matches nothing in this environment, a parser upgrade removed a field, or a batch-fed source is arriving after the lookback window has already passed.

deadair tries to check that other half. It maps enabled detections to the telemetry they depend on, then reports dead rules, impaired rules, stale/empty sources, unused telemetry, and the blast radius of a source going quiet.

Right now it supports Elastic Security 8.x and OpenSearch Security Analytics 2.x.

I want to add Microsoft Sentinel next. To do that properly, I need access to a real Sentinel tenant or a partner willing to test with one. Docs and synthetic fixtures will not be enough because the hard parts are real-world KQL, functions, ASIM parsers, watchlists, custom tables, cross-workspace queries, and permission boundaries.

If this sounds useful, I’d appreciate feedback or a DM. Blunt “this won’t work because…” feedback is useful too.

u/Big-Comfortable-70 — 1 day ago

Defender P2 for Servers - Sentinel Benefit

Hi,

We have one subscription that has our Azure Arc enabled machines with the Defender for Cloud P2 applied.

Sentinel is deployed in another subscription. Defender isn't enabled for the log workspace.

My understanding is that if we use the Windows Security Events via AMA to collect events from the Arc Machines, the 500mb benefit won't apply?

I have to enable Data Collection on the Sentinel Workspace in Defender for Cloud, but the sentinel workspace doesn't have those servers reporting to them?

Does that make sense? This is very confusing for me but maybe I'm over complicating it

reddit.com
u/DaithiG — 4 days ago