Aug 06 2020 09:25 PM
Is there a way to detect if a Network, Windows or a Linux devices are not able to ingest logs in the last 24 hrs into Sentinel.So that we investigate of any issues.
We have a mix of Windows, Linux, CEF and SYSLog devices.
Aug 09 2020 08:39 PM
@Rod_TrentI can't find any thing the workbook for stale devices.
Aug 10 2020 04:53 AM
@MalliBoppe If you have the Microsoft Monitoring agent installed on these devices you can always check the heartbeat to see if they have alive. While this is not 100% accurate it should give you a good idea.
For items like Syslog / CEF you would can check to see when the last data was ingested to see if those servers are working (which, I believe, it what Rod Trent was stating in his post). To see if the machines that populate your Syslog / CEF servers are pushing data you would need to have a list of all the systems that should be pushing data (I would suggest storing this in a blob so you can use the extern command) and then comparing that list against what is currently being ingested to see which ones are not actually pushing data.
This post talks more about the extern data command: https://techcommunity.microsoft.com/t5/azure-sentinel/using-external-data-sources-to-enrich-network-...