Sentinel SIEM Support of Digital Forensics Chain of Custody

Digital Investigations: Sentinel Log Export and Chain of Custody

Overview

Digital investigations increasingly rely on centralized log platforms such as Microsoft Sentinel to support forensic analysis. With this shift comes the requirement to maintain strict chain of custody for all exported data to ensure integrity, traceability, and admissibility.

There are two primary approaches for exporting Sentinel data in support of investigations:

1. Query-Based Export

   1. Manual

   2. Automated

2. Direct Integration of Sentinel Incident with Case Evidence Storage

Query-Based Export

Investigators execute KQL queries to retrieve data relevant to a case. The results are then exported for external analysis or storage.

Export Methods

• CSV / Excel Export - Export results directly from the Sentinel Logs interface as .csv or Excel files

• Power BI Export - Export queries as M queries for use in Power BI to support analysis and reporting

Chain of Custody Controls (Query-Based Export)

Chain of custody is maintained across multiple layers:

Data Integrity

• Exported files are cryptographically hashed

• Hash values are recorded and stored alongside the evidence

• Ensures verification that data has not been altered

Investigation Workflow Tracking

• A dedicated Hunt container (investigation workspace) is created within Sentinel

• All KQL queries related to the investigation are:

  • Developed

  • Executed

  • Documented

Audit Logging (Critical for Traceability)

The following logs provide a verifiable audit trail:

• Query Execution

  • LAQueryLogs – Captures query text, user, and execution details

  • KQLQueryCompleted – Records query execution completion and attribution

• Sentinel / Azure Activity

  • AzureActivity – Tracks resource-level actions

  • Sentinel audit logs – Track configuration and operational changes

• File Handling / Data Movement

  • CloudAppEvents – Tracks file access, sharing, and transfers

Query-Based Export - Automation via Logic Apps

To improve consistency and reduce manual effort, Azure Logic Apps can be used to automate the process.

• Automatically execute predefined queries

• Export results directly to secure storage

• Upload evidence to immutable Azure storage containers

• Maintain consistent chain of custody handling

The same verifiable audit logs can be used to track all actions taken in this type of solution; including logic app related logs which reside in Azure Activity Logs (control plane: who created/updated) and Diagnostic/Resource Logs (data plane: runtime execution details). Diagnostic logs track trigger/action events, failures, and workflow status, which should be sent to Log Analytics for detailed auditing, as they are not enabled by default

Direct Integration of Sentinel Incident with Case Evidence Storage

The key distinction between this solution and the prior Logic App, based approach is the trigger and data source.

• In this solution, the Logic App is directly integrated with Microsoft Sentinel incidents, automatically collecting and storing incident-related data into the Azure-supported forensic evidence container.

• In the prior solution, the Logic App supports investigations initiated outside of Sentinel incidents (e.g., systems or users that did not generate an alert), but still automates evidence collection and storage in the same forensic container.

In both cases, automation ensures consistent, centralized evidence handling, the difference lies in whether the workflow is incident-driven or investigator-driven.

The article 'Build: Azure Sentinel – Automated Evidence Storage Folders' outlines this process: https://sra.io/blog/build-azure-sentinel-automated-evidence-storage-folders/

'Build: Azure Sentinel – Automated Evidence Storage Folders' https://sra.io/blog/build-azure-sentinel-automated-evidence-storage-folders/

The article outlines a practical solution to a key gap in Microsoft Sentinel, the lack of native digital forensics evidence storage for incidents, by building an automated, cloud-native evidence management workflow using Azure services. This solution involves creating a “sidecar” evidence repository that:

• Automatically generates a storage location per incident

• Links that storage directly to the incident

• Tracks and updates evidence activity in real time

How It Works (High-Level Architecture)

1. Storage Layer

• Use an Azure Storage Account (Blob container)

• Each incident gets its own folder (named by Incident ID)

• Can be configured as immutable (tamper-proof)

2. Incident-Triggered Automation

• A Logic App triggers when a Sentinel incident is created

• It:

  • Creates a folder for the incident

  • Stores the Incident ARM ID

  • Adds a link back to the storage location in the incident

3. Evidence Upload Monitoring

• A second Logic App triggers when files are added to storage

• It:

  • Identifies the related incident

  • Updates the incident with evidence upload activity

4. Event Integration

• Azure Event Grid (Blob “created” events) triggers the workflow

• Enables real-time synchronization between storage and incident records

Dogital Forensics Chain Sentinel of custody Process Documentation

It is also critical that steps related to these processes are are documented within a Digital Investigations Chain of Custody SOPs.

References

Audit Microsoft Sentinel queries and activities

https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data

Monitor resource health for Azure Logic Apps by setting up logging in Azure Security Center

https://learn.microsoft.com/en-us/azure/logic-apps/healthy-unhealthy-resource

Build: Azure Sentinel – Automated Evidence Storage Folders

https://sra.io/blog/build-azure-sentinel-automated-evidence-storage-folders/