Watching the Watchers: Monitoring Microsoft Sentinel Repositories Activity

If you’ve not used the Repositories feature of Microsoft Sentinel and you have need to deploy content like rules, workbooks, etc., you should give it a try. It’s a powerful tool to enable you to deploy a uniform set of content to your own Sentinel environment or others in other tenants or workspaces that you manage.

For example, just dropping a JSON file (deployment template) full of new Analytics Rules in my own GitHub repository causes them to show up almost immediately in my Microsoft Sentinel environment. Pretty slick! And, as this feature continues to improve, expect to see a lot of additional goodness come to it.

But with anything related to security – particularly in Microsoft Sentinel – it’s important to both supply appropriate access to features like Repositories and monitor to make sure that trust is not squandered.

While building demos for Repositories for an upcoming in-person conference, I noticed that every time I placed a new JSON file in my own repository and it deployed to my environment, a Microsoft Sentinel Incident was generated.

Long ago I built an Analytics Rule for a customer that generates an alert whenever an Analytics Rule is created or modified. So, it actually also works in this case with Repositories. Its logical that it works, it just surprised me as I wasn’t expecting it.

So, it’s probably a good idea if you also want to have the capability to grab the Analytics Rule and try it out yourself.

//Analytics Rule to report when someone creates or modifies an Analytics Rule
//Entities: Caller, Caller IP, and Analytics Rule ID
| where ActivityStatusValue == "Success"
| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress
| extend URLCustomEntity = Analytics_Rule_ID

The most current version of this rule will always be located here: SentinelKQL/AnalyticsRuleCreatedorModified.txt at master · rod-trent/SentinelKQL (

I don’t have a rule currently for other Microsoft Sentinel content to monitor other Repositories activity but hope to build rules for those soon. If you create something before I do, let me know over Twitter: @rodtrent

BTW: There’s also one for tracking when an Analytics Rule is deleted: SentinelKQL/AnalyticsRuleDeleted.txt at master · rod-trent/SentinelKQL (


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply