What are the basic health checks one should be doing on Azure Sentinel as an SIEM Admin?

%3CLINGO-SUB%20id%3D%22lingo-sub-1200064%22%20slang%3D%22en-US%22%3EWhat%20are%20the%20basic%20health%20checks%20one%20should%20be%20doing%20on%20Azure%20Sentinel%20as%20an%20SIEM%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200064%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20help%20on%20the%20checklist%20which%20should%20be%20carried%20out%20everyday%20in%20order%20to%20confirm%20the%20health%20status%20of%20Azure%20Sentinel.%20Please%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200569%22%20slang%3D%22en-US%22%3ERe%3A%20What%20are%20the%20basic%20health%20checks%20one%20should%20be%20doing%20on%20Azure%20Sentinel%20as%20an%20SIEM%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200569%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BHere%20are%20some%20things%20I%20do%20every%20day%22%3C%2FP%3E%3CP%3E1)%20Check%20the%20data%20connectors%20to%20make%20sure%20they%20are%20still%20getting%20data%3C%2FP%3E%3CP%3E2)%20Check%20your%20playbooks%20to%20make%20sure%20they%20are%20not%20throwing%20any%20errors%3C%2FP%3E%3CP%3E3)%20And%2C%20of%20course%2C%20check%20your%20incidents%3C%2FP%3E%3CP%3E4)%20You%20may%20want%20to%20check%20the%20Heartbeat%20log%20to%20make%20sure%20that%20any%20servers%20you%20have%20connected%20to%20your%20Azure%20Sentinel%20instance%20are%20still%20sending%20data%2C%20but%20depending%20on%20the%20server%20it%20may%20not%20be%20a%20red%20flag%20if%20it%20is%20down.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1201024%22%20slang%3D%22en-US%22%3ERe%3A%20What%20are%20the%20basic%20health%20checks%20one%20should%20be%20doing%20on%20Azure%20Sentinel%20as%20an%20SIEM%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1201024%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%234%20I'd%20consider%20using%20Azure%20Resource%20Graph%20queries%20to%20test%20computers%20(ideally%20in%20a%20Workbook)%20as%20the%20output%20can%20be%20used%20in%20KQL%3CBR%20%2F%3Ee.g.%20this%20would%20be%20the%20ARG%20code%20in%20a%20parameter%20in%20the%20workbook%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eresources%0A%7C%20where%20type%20%3D%3D%20%22microsoft.compute%2Fvirtualmachines%22%20or%20type%20%3D%3D%20%22microsoft.hybridcompute%2Fmachines%22%0A%7C%20project%20name%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%20would%20be%20mapped%20to%20%3CSTRONG%3Ecomputername%3C%2FSTRONG%3E%20when%20selected.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20in%20Log%20Analytics%20you%20can%20select%20one%20computer%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%20%20%0A%7C%20where%20Computer%20startswith%20%22%7BComputerName%7D%22%0A%7C%20summarize%20HeartBeatperHour%20%3D%20count()%20by%20bin(TimeGenerated%2C1h)%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3Bor%20all%20of%20them%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EHeartbeat%20%20%0A%7C%20where%20Computer%20in%20(%22%7BComputerName%7D%22)%0A%7C%20summarize%20HeartBeatperHour%20%3D%20count()%20by%20bin(TimeGenerated%2C1h)%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%235%20I'd%20consider%20E2E%20Latency%20(min%2C%20avg%20and%20max)%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22ext-notebook-item-spacing%22%20data-bind%3D%22style%3A%20%7B%20width%3A%20customWidthBinding%2C%20'padding-bottom'%3A%20%24parent.spacingBinding%2C%20'max-width'%3A%20maxWidthBinding%20%7D%2C%20sanitizedCss%3A%20%7B%20'ext-usage-notebook-hidden-step'%3A%20!isVisible()%20%7D%22%3E%0A%3CDIV%20class%3D%22ext-usage-notebook-item%22%20data-bind%3D%22sanitizedCss%3A%20%7B%20'ext-usage-edit-mode'%3A%20isEditMode%2C%20'msportalfx-shadow-level2'%3A%20isEditMode%20%7D%22%3E%0A%3CDIV%20data-bind%3D%22htmlTemplate%3A%20%7B%20html%3A%20cellTemplate%20%7D%2C%20style%3A%20%7B%20margin%3A%20marginField.value%20%7D%22%3E%0A%3CDIV%20class%3D%22ext-notebook-margin%22%3E%0A%3CDIV%20class%3D%22ext-usage-text-wrap%20ext-focus-430a6de5-2d44-4950-943a-47c8416efc5d%20fxc-base%20fxc-markdown%22%20data-bind%3D%22pcControl%3A%20markdownView%2C%20sanitizedCss%3A%20%7B%20'ext-notebook-border'%3A%20showBorderCheckbox.value()%20%7D%2C%20style%3A%20%7B%20padding%3A%20paddingField.value%20%7D%22%20data-formelement%3D%22pcControl%3A%20markdownView%2C%20sanitizedCss%3A%20%7B%20'ext-notebook-border'%3A%20showBorderCheckbox.value()%20%7D%2C%20style%3A%20%7B%20padding%3A%20paddingField.value%20%7D%22%3E%0A%3CARTICLE%20class%3D%22fxc-markdown-body%22%20data-bind%3D%22%26quot%3Battr%26quot%3B%3A%7B%26quot%3Baria-disabled%26quot%3B%3A%24ctl._ariaDisabled%2C%26quot%3Baria-label%26quot%3B%3A%24ctl._ariaLabel%7D%22%20aria-disabled%3D%22false%22%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-ingestion-time%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-ingestion-time%3C%2FA%3E%3C%2FP%3E%0A%3C%2FARTICLE%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%20class%3D%22ext-notebook-item-spacing%22%20data-bind%3D%22style%3A%20%7B%20width%3A%20customWidthBinding%2C%20'padding-bottom'%3A%20%24parent.spacingBinding%2C%20'max-width'%3A%20maxWidthBinding%20%7D%2C%20sanitizedCss%3A%20%7B%20'ext-usage-notebook-hidden-step'%3A%20!isVisible()%20%7D%22%3E%0A%3CDIV%20class%3D%22ext-usage-notebook-item%22%20data-bind%3D%22sanitizedCss%3A%20%7B%20'ext-usage-edit-mode'%3A%20isEditMode%2C%20'msportalfx-shadow-level2'%3A%20isEditMode%20%7D%22%3E%0A%3CDIV%20data-bind%3D%22htmlTemplate%3A%20%7B%20html%3A%20cellTemplate%20%7D%2C%20style%3A%20%7B%20margin%3A%20marginField.value%20%7D%22%3E%0A%3CDIV%20class%3D%22ext-notebook-margin%22%3E%0A%3CDIV%20class%3D%22ext-usage-text-wrap%20ext-focus-fa47d5f3-d096-45a5-a6cc-4a06b78322d6%20fxc-base%20fxc-markdown%22%20data-bind%3D%22pcControl%3A%20markdownView%2C%20sanitizedCss%3A%20%7B%20'ext-notebook-border'%3A%20showBorderCheckbox.value()%20%7D%2C%20style%3A%20%7B%20padding%3A%20paddingField.value%20%7D%22%20data-formelement%3D%22pcControl%3A%20markdownView%2C%20sanitizedCss%3A%20%7B%20'ext-notebook-border'%3A%20showBorderCheckbox.value()%20%7D%2C%20style%3A%20%7B%20padding%3A%20paddingField.value%20%7D%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%236%20Table%20size%20and%20growth%20(maybe%207%20days%2C%20growth%20per%20day)%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ee.g.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eunion%20withsource%3DTableName%20*%0A%7C%20make-series%20TableSize%20%3D%20sum(_BilledSize)%20default%20%3D%200%20on%20TimeGenerated%20from%20ago(7d)%20to%20%20now()%20step%201h%0A%7C%20mvexpand%20TableSize%20to%20typeof(real)%2C%20TimeGenerated%20to%20typeof(datetime)%20limit%201000%0A%7C%20project%20TimeGenerated%2C%20%5B'%7BTable%7D'%5D%20%3D%20TableSize%0A%7C%20render%20areachart%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1201261%22%20slang%3D%22en-US%22%3ERe%3A%20What%20are%20the%20basic%20health%20checks%20one%20should%20be%20doing%20on%20Azure%20Sentinel%20as%20an%20SIEM%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1201261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20additional%20information!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20last%20query%20is%20the%20%5B%7BTable%7D%5D%20name%20supposed%20to%20be%20replaced%20with%20the%20actual%20table%20name%3F%26nbsp%3B%20When%20I%20run%20it%20in%20Logs%20it%20just%20has%20%7BTable%7D%20as%20the%20X-axis%20text%20and%20the%20code%20doesn't%20run%20in%20a%20Workbook%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1201324%22%20slang%3D%22en-US%22%3ERe%3A%20What%20are%20the%20basic%20health%20checks%20one%20should%20be%20doing%20on%20Azure%20Sentinel%20as%20an%20SIEM%20Admin%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1201324%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20a%20copy%20%26amp%3B%20paste%20mistake%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eunion%20withsource%3DTableName%20*%0A%7C%20make-series%20TableSize%20%3D%20sum(_BilledSize)%20default%20%3D%200%20on%20TimeGenerated%20from%20ago(7d)%20to%20%20now()%20step%201h%0A%7C%20mvexpand%20TableSize%20to%20typeof(real)%2C%20TimeGenerated%20to%20typeof(datetime)%20limit%201000%0A%7C%20project%20TimeGenerated%2C%20%5B'Table'%5D%20%3D%20TableSize%0A%7C%20render%20areachart%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B-%20just%20remove%20the%20curly%20brackets%26nbsp%3B%20-%20its%20really%20the%20%22Table%20Size%22%20column%20as%20well%20-%20but%20an%20area%20chart%20will%20disguise%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20should%20look%20like%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-02-28%20191420.jpg%22%20style%3D%22width%3A%20676px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F174172i4659666FD24E3196%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-02-28%20191420.jpg%22%20alt%3D%22Annotation%202020-02-28%20191420.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Team,

 

I need help on the checklist which should be carried out everyday in order to confirm the health status of Azure Sentinel. Please help.

 

Regards,

Mitesh Agrawal

4 Replies

@MiteshAgrawal Here are some things I do every day"

1) Check the data connectors to make sure they are still getting data

2) Check your playbooks to make sure they are not throwing any errors

3) And, of course, check your incidents

4) You may want to check the Heartbeat log to make sure that any servers you have connected to your Azure Sentinel instance are still sending data, but depending on the server it may not be a red flag if it is down.

@Gary Bushey 

#4 I'd consider using Azure Resource Graph queries to test computers (ideally in a Workbook) as the output can be used in KQL
e.g. this would be the ARG code in a parameter in the workbook

resources
| where type == "microsoft.compute/virtualmachines" or type == "microsoft.hybridcompute/machines"
| project name

Name would be mapped to computername when selected. 

 

Then in Log Analytics you can select one computer 

Heartbeat  
| where Computer startswith "{ComputerName}"
| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h) 

 or all of them

Heartbeat  
| where Computer in ("{ComputerName}")
| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h) 

 

 

#5 I'd consider E2E Latency (min, avg and max) 

 

#6 Table size and growth (maybe 7 days, growth per day) 

e.g. 

union withsource=TableName *
| make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to  now() step 1h
| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000
| project TimeGenerated, ['{Table}'] = TableSize
| render areachart 

 

@Clive Watson Thanks for the additional information!

 

In the last query is the [{Table}] name supposed to be replaced with the actual table name?  When I run it in Logs it just has {Table} as the X-axis text and the code doesn't run in a Workbook

@Gary Bushey 

 

Sorry a copy & paste mistake

 

union withsource=TableName *
| make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to  now() step 1h
| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000
| project TimeGenerated, ['Table'] = TableSize
| render areachart 

 - just remove the curly brackets  - its really the "Table Size" column as well - but an area chart will disguise that.

 

It should look like

 

Annotation 2020-02-28 191420.jpg