Need to be able to monitor silent log sources using Sentinel

Angela Marafino 0 Reputation points
2023-09-13T01:34:45.07+00:00

We need to get the lists of hosts that have not sent us logs in the last X hours. X would need to be somewhat configurable for certain hosts.

We also need to know when a log source has resumed sending logs so we can update on our side the case with the silent log source (to remove the non-silent ones).

And to have this feature, we need to be able to store data somewhere and run queries against the stored data.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,125 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 32,321 Reputation points Microsoft Employee
    2023-09-13T08:56:59.5333333+00:00

    @Angela Marafino Thank you for reaching out to us, As I understand you are looking to monitor silent log sources using Sentinel, while researching on this I came across this blog - https://techcommunity.microsoft.com/t5/microsoft-sentinel/log-sources-down/m-p/3071425 which you already visited/commented.

    Also came across these links which might be helpful

    https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/data-connector-health-push-notification-alerts/ba-p/1996442

    https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-alert-playbook/ba-p/2006003

    https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingestion-cost-spike-detection-playbook/ba-p/2591301

    However will check more on this with my team and revert back.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.