Is there a way to detect if a Network, Windows or a Linux devices are not able to ingest  logs in the last 24 hrs into Sentinel.So that we investigate of any issues.

We have a mix of Windows, Linux, CEF and SYSLog  devices.

@MalliBoppe If you have the Microsoft Monitoring agent installed on these devices you can always check the heartbeat to see if they have alive.  While this is not 100% accurate it should give you a good idea.


For items like Syslog / CEF you would can check to see when the last data was ingested to see if those servers are working (which, I believe, it what Rod Trent was stating in his post).  To see if the machines that populate your Syslog / CEF servers are pushing data you would need to have a list of all the systems that should be pushing data (I would suggest storing this in a blob so you can use the extern command) and then comparing that list against what is currently being ingested to see which ones are not actually pushing data.


