Health monitoring in Microsoft Sentinel
Microsoft Sentinel is a critical service for monitoring and ensuring your organization’s information security, so you’ll want to rest assured that it’s always running smoothly. You’ll want to be able to make sure that the service's many moving parts are always functioning as intended. You also might like to configure notifications of health drifts for relevant stakeholders who can take action. For example, you can configure email or Microsoft Teams messages to be sent to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.
This article describes how Microsoft Sentinel’s health monitoring feature lets you monitor the activity of some of the service’s key resources.
This section describes the function and use cases of the health monitoring components.
Health data is collected in the SentinelHealth table in your Log Analytics workspace. The prevalent way you'll use this data is by querying the table.
When monitoring the health of playbooks, you'll also need to capture Azure Logic Apps diagnostic events from your playbooks, in addition to the SentinelHealth data, in order to get the full picture of your playbook activity. Azure Logic Apps diagnostic data is collected in the AzureDiagnostics table in your workspace.
Is the data connector running correctly?
Is the data connector receiving data? For example, if you've instructed Microsoft Sentinel to run a query every 5 minutes, you want to check whether that query is being performed, how it's performing, and whether there are any risks or vulnerabilities related to the query.
Are my SAP systems running correctly?
Are the SAP systems managed by your organization running correctly?. Are the systems up and running, or ar they unreachable? Does Microsoft Sentinel identify these systems as production systems?
Did an automation rule run as expected?
Did my automation rule run when it was supposed to - that is, when its conditions were met? Did all the actions in the automation rule run successfully?
How Microsoft Sentinel presents health data
To dive into the health data that Microsoft Sentinel generates, you can:
Run queries on the SentinelHealth data table from the Microsoft Sentinel Logs blade.
Use the health monitoring workbooks provided in Microsoft Sentinel.
Export the data into various destinations, like your Log Analytics workspace, archiving to a storage account, and more. Learn about the supported destinations for your logs.