Forum Discussion
What are the basic health checks one should be doing on Azure Sentinel as an SIEM Admin?
#4 I'd consider using Azure Resource Graph queries to test computers (ideally in a Workbook) as the output can be used in KQL
e.g. this would be the ARG code in a parameter in the workbook
resources
| where type == "microsoft.compute/virtualmachines" or type == "microsoft.hybridcompute/machines"
| project nameName would be mapped to computername when selected.
Then in Log Analytics you can select one computer
Heartbeat
| where Computer startswith "{ComputerName}"
| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h) or all of them
Heartbeat
| where Computer in ("{ComputerName}")
| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h)
#5 I'd consider E2E Latency (min, avg and max)
#6 Table size and growth (maybe 7 days, growth per day)
e.g.
union withsource=TableName *
| make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to now() step 1h
| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000
| project TimeGenerated, ['{Table}'] = TableSize
| render areachart
CliveWatson Thanks for the additional information!
In the last query is the [{Table}] name supposed to be replaced with the actual table name? When I run it in Logs it just has {Table} as the X-axis text and the code doesn't run in a Workbook
Sorry a copy & paste mistake
union withsource=TableName * | make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to now() step 1h | mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000 | project TimeGenerated, ['Table'] = TableSize | render areachart- just remove the curly brackets - its really the "Table Size" column as well - but an area chart will disguise that.
It should look like