Sentinel Data Connector Health Monitoring
A common challenge after deploying Microsoft Sentinel has been how to keep track of your Data Connector health status. Currently in preview, the SentinelHealth table can form a foundation of where to find helpful health status information on your Sentinel instance. Today, we take a look at getting a handle on how to start monitoring our Microsoft Sentinel data connectors health.
Let’s jump right in to get things started:
First, let’s get logged in to Azure portal at https://portal.azure.com.
Scroll down and open up Settings.
Select the Settings tab. The Pricing tab opens by default. Then expand Health Monitoring.
Select Configure Diagnostic Settings
Click on +Add Diagnostic Setting if no Settings exist already to capture your Health information. Click on Edit Setting on the far right-side if you already have a setting here like I do:
Choose the categories of Logs to collect. Today, we need to make sure we capture Data Collection – Connectors. My example below has “allLogs” selected, so we are good!
If you are adding a new setting, fill in the required fields such as name and choose your Subscription and Log Analytics Workspace to save your log data into.
Next, Click on Save in the top-left.
Now we can have a bit of fun!
Head back to your Microsoft Sentinel blade and select Logs. Remember that it may take a little bit of time to start propagating your logs into the storage account here, so maybe grab a cup of your favourite coffee and come back.
Enter a little test query to quickly grab a random few rows of your SentinelHealth data table:
| take 20
Click on RUN and then let’s enjoy the results that we can see returned. So, since we are able to now use KQL to query our Sentinel data connectors for health information, we can use a query to drive an Analytics Rule or other monitoring to then create Incidents and Alerts to let us know about issues.
Awesome job getting through that!
Next time, we’ll take a look at how we can explore and report on this SentinelHealth data in a standardized way.