Auditing and health monitoring in Microsoft Sentinel
Microsoft Sentinel is a critical service for advancing and protecting the security of your organization’s technological and information assets, so you’ll want to rest assured that it’s always running smoothly and free of interference. You’ll want to be able to make sure that the service's many moving parts are always functioning as intended and that the service isn't being manipulated by unauthorized actions, whether by internal users or otherwise. You also might like to configure notifications of health drifts or unauthorized actions to be sent to relevant stakeholders who can respond or approve a response. For example, you can set conditions to trigger the sending of emails or Microsoft Teams messages to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.
This article describes how Microsoft Sentinel’s health monitoring and auditing features let you monitor the activity of some of the service’s key resources and inspect logs of user actions within the service.
This section describes the function and use cases of the health monitoring and auditing components.
Health and audit data are collected in two tables in your Log Analytics workspace:
- Health data is collected in the SentinelHealth table.
- Audit data is collected in the SentinelAudit table.
The prevalent way you'll use this data is by querying these tables.
For best results, you should build your queries on the pre-built functions on these tables, _SentinelHealth() and _SentinelAudit(), instead of querying the tables directly. These functions ensure the maintenance of your queries' backward compatibility in the event of changes being made to the schema of the tables themselves.
When monitoring the health of playbooks, you'll also need to capture Azure Logic Apps diagnostic events from your playbooks, in addition to the SentinelHealth data, in order to get the full picture of your playbook activity. Azure Logic Apps diagnostic data is collected in the AzureDiagnostics table in your workspace.
Is the data connector running correctly?
Is the data connector receiving data? For example, if you've instructed Microsoft Sentinel to run a query every 5 minutes, you want to check whether that query is being performed, how it's performing, and whether there are any risks or vulnerabilities related to the query.
Did an automation rule run as expected?
Did your automation rule run when it was supposed to—that is, when its conditions were met? Did all the actions in the automation rule run successfully?
Did an analytics rule run as expected?
Did your analytics rule run when it was supposed to, and did it generate results? If you're expecting to see particular incidents in your queue but you don't, you want to know whether the rule ran but didn't find anything (or enough things), or didn't run at all.
Were unauthorized changes made to an analytics rule?
Was something changed in the rule? You didn't get the results you expected from your analytics rule, and it didn't have any health issues. You want to see if any unplanned changes were made to the rule, and if so, what changes were made, by whom, from where, and when.
How Microsoft Sentinel presents health and audit data
To start collecting health and audit data, you need to enable health and audit monitoring in the Microsoft Sentinel settings. Then you can dive into the health and audit data that Microsoft Sentinel collects:
Run queries on the SentinelHealth and SentinelAudit data tables from the Microsoft Sentinel Logs blade.
Use the auditing and health monitoring workbooks provided in Microsoft Sentinel.
Use Microsoft Sentinel's execution management tools to monitor and optimize scheduled analytics rules' execution.
Export the data into various destinations, like your Log Analytics workspace, archiving to a storage account, and more. Learn about the supported destinations for your logs.
- Turn on auditing and health monitoring in Microsoft Sentinel.
- Monitor the health of your automation rules and playbooks.
- Monitor the health of your data connectors.
- Monitor the health and integrity of your analytics rules.
- See more information about the SentinelHealth and SentinelAudit table schemas.