Sentinel Health Data Visualization & Reporting
A common challenge after deploying Microsoft Sentinel has been how to keep track of your Data Connector health status. Last article, we explored getting a handle on our Microsoft Sentinel data connectors health. This week, we look visualizing and using that data with Sentinel Workbooks.
Let’s jump right in to get things started:
First, let’s get logged in to Azure portal at https://portal.azure.com.
On the Microsoft Sentinel blade and select Logs. Let’s make sure we are getting the SentinelHealth data collected first.
Enter a little test query to quickly grab a random few rows of your SentinelHealth data table:
SentinelHealth | take 25
Click on RUN and then let’s enjoy the results that we can see returned. So, since we are able to now use KQL to query our Sentinel data connectors for health information, we can use a query to drive an Analytics Rule or other monitoring to then create Incidents and Alerts to let us know about issues.
Great, if you see data returned, then we are in good shape. If you don’t, make sure you check out the previous article on getting your Data Connector health information logged right here.
Back on the Sentinel blade, let’s head down to Workbooks.
Once in Workbooks, select Templates > enter ‘health‘ > select Sentinel Health.
Next choose either View or Save Template. If you choose Save, you will be prompted to select a Region – choose the same Region as your Sentinel implementation / Log Analytics Workspace to keep things nice and tidy.
Next up, click on View if you didn’t do that already.
My sample data shown above let’s us see that there are some different resources being collected, and that there are a few errors we should examine.
Sections included in the Sentinel Health Workbook:
- Sentinel Health by Resource Name
- Detect latest failure events per connector
- Detect connectors with changes from fail to success state
- Detect connectors with changes from success to fail state
- Sentinel Health Schema
- Sentinel Health by Operation Name
- Sentinel Health by by SentinelResourceKind
- Sentinel Health Status Count
- Sentinel Health by Description
- Sentinel Health by SentinelResourceType
- Sentinel Health Summary
The ability to filter by date and resource within the workbook is a huge time-saver, remember to set these filters to suit your own needs and explore the SentinelHealth data.
One of my favourite sections is the simple SentinelResourceKind section where we can see the different types of resource data we are collecting:
Remember to dig around, dig into, and explore the data you are collecting to make sure that your resources and settings are healthy and useful. Collecting the data is great, but make sure it is useful, supports your Microsoft Sentinel goals, and that storage and retention is all setup to support those goals.