Health monitoring in Microsoft Sentinel

Microsoft Sentinel is a critical service for monitoring and ensuring your organization’s information security, so you’ll want to rest assured that it’s always running smoothly. You’ll want to be able to make sure that the service's many moving parts are always functioning as intended. You also might like to configure notifications of health drifts for relevant stakeholders who can take action. For example, you can configure email or Microsoft Teams messages to be sent to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.

This article describes how Microsoft Sentinel’s health monitoring feature lets you monitor the activity of some of the service’s key resources.


This section describes the function and use cases of the health monitoring components.

Data storage

Health data is collected in the SentinelHealth table in your Log Analytics workspace. The prevalent way you'll use this data is by querying the table.


  • The SentinelHealth data table is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

  • When monitoring the health of playbooks, you'll also need to capture Azure Logic Apps diagnostic events from your playbooks, in addition to the SentinelHealth data, in order to get the full picture of your playbook activity. Azure Logic Apps diagnostic data is collected in the AzureDiagnostics table in your workspace.

Use cases

Is the data connector running correctly?

Is the data connector receiving data? For example, if you've instructed Microsoft Sentinel to run a query every 5 minutes, you want to check whether that query is being performed, how it's performing, and whether there are any risks or vulnerabilities related to the query.

Are my SAP systems running correctly?

Are the SAP systems managed by your organization running correctly?. Are the systems up and running, or ar they unreachable? Does Microsoft Sentinel identify these systems as production systems?

Did an automation rule run as expected?

Did my automation rule run when it was supposed to - that is, when its conditions were met? Did all the actions in the automation rule run successfully?

How Microsoft Sentinel presents health data

To dive into the health data that Microsoft Sentinel generates, you can:

Next steps