Forum Discussion
What are the basic health checks one should be doing on Azure Sentinel as an SIEM Admin?
Hi Team,
I need help on the checklist which should be carried out everyday in order to confirm the health status of Azure Sentinel. Please help.
Regards,
Mitesh Agrawal
4 Replies
MiteshAgrawal Here are some things I do every day"
1) Check the data connectors to make sure they are still getting data
2) Check your playbooks to make sure they are not throwing any errors
3) And, of course, check your incidents
4) You may want to check the Heartbeat log to make sure that any servers you have connected to your Azure Sentinel instance are still sending data, but depending on the server it may not be a red flag if it is down.
#4 I'd consider using Azure Resource Graph queries to test computers (ideally in a Workbook) as the output can be used in KQL
e.g. this would be the ARG code in a parameter in the workbookresources | where type == "microsoft.compute/virtualmachines" or type == "microsoft.hybridcompute/machines" | project nameName would be mapped to computername when selected.
Then in Log Analytics you can select one computer
Heartbeat | where Computer startswith "{ComputerName}" | summarize HeartBeatperHour = count() by bin(TimeGenerated,1h)or all of them
Heartbeat | where Computer in ("{ComputerName}") | summarize HeartBeatperHour = count() by bin(TimeGenerated,1h)#5 I'd consider E2E Latency (min, avg and max)
#6 Table size and growth (maybe 7 days, growth per day)
e.g.
union withsource=TableName * | make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to now() step 1h | mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000 | project TimeGenerated, ['{Table}'] = TableSize | render areachartCliveWatson Thanks for the additional information!
In the last query is the [{Table}] name supposed to be replaced with the actual table name? When I run it in Logs it just has {Table} as the X-axis text and the code doesn't run in a Workbook
