Forum Discussion
What are the basic health checks one should be doing on Azure Sentinel as an SIEM Admin?
MiteshAgrawal Here are some things I do every day"
1) Check the data connectors to make sure they are still getting data
2) Check your playbooks to make sure they are not throwing any errors
3) And, of course, check your incidents
4) You may want to check the Heartbeat log to make sure that any servers you have connected to your Azure Sentinel instance are still sending data, but depending on the server it may not be a red flag if it is down.
#4 I'd consider using Azure Resource Graph queries to test computers (ideally in a Workbook) as the output can be used in KQL
e.g. this would be the ARG code in a parameter in the workbook
resources
| where type == "microsoft.compute/virtualmachines" or type == "microsoft.hybridcompute/machines"
| project name
Name would be mapped to computername when selected.
Then in Log Analytics you can select one computer
Heartbeat
| where Computer startswith "{ComputerName}"
| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h)
or all of them
Heartbeat
| where Computer in ("{ComputerName}")
| summarize HeartBeatperHour = count() by bin(TimeGenerated,1h)
#5 I'd consider E2E Latency (min, avg and max)
#6 Table size and growth (maybe 7 days, growth per day)
e.g.
union withsource=TableName *
| make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to now() step 1h
| mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000
| project TimeGenerated, ['{Table}'] = TableSize
| render areachart
- GaryBusheyFeb 28, 2020Bronze Contributor
CliveWatson Thanks for the additional information!
In the last query is the [{Table}] name supposed to be replaced with the actual table name? When I run it in Logs it just has {Table} as the X-axis text and the code doesn't run in a Workbook
- CliveWatsonFeb 28, 2020Microsoft
Sorry a copy & paste mistake
union withsource=TableName * | make-series TableSize = sum(_BilledSize) default = 0 on TimeGenerated from ago(7d) to now() step 1h | mvexpand TableSize to typeof(real), TimeGenerated to typeof(datetime) limit 1000 | project TimeGenerated, ['Table'] = TableSize | render areachart
- just remove the curly brackets - its really the "Table Size" column as well - but an area chart will disguise that.
It should look like