New Blog Post | Check the health of your exported Azure Sentinel logs in your ADX cluster

%3CLINGO-SUB%20id%3D%22lingo-sub-2729587%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Check%20the%20health%20of%20your%20exported%20Azure%20Sentinel%20logs%20in%20your%20ADX%20cluster%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2729587%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AshleyMartin_1-1631035565212.png%22%20style%3D%22width%3A%20730px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F308589i1655F49B0A143EAE%2Fimage-dimensions%2F730x145%3Fv%3Dv2%22%20width%3D%22730%22%20height%3D%22145%22%20role%3D%22button%22%20title%3D%22AshleyMartin_1-1631035565212.png%22%20alt%3D%22AshleyMartin_1-1631035565212.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcheck-the-health-of-your-exported-azure-sentinel-logs-in-your%2Fba-p%2F2668363%22%20target%3D%22_blank%22%3EChecking%20the%20health%20of%20your%20ADX%20cluster%20for%20long-term%20retention%20logs%20(microsoft.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EMore%20and%20more%20Azure%20Sentinel%20customers%20are%20opting%20for%20long-term%20retention%20of%20their%20logs%20in%20Azure%20Data%20Explorer%20(ADX)%2C%20either%20due%20to%20compliance%20regulations%2C%20or%20because%20they%20still%20want%20to%20be%20able%20to%20perform%20investigations%20on%20their%20archived%20logs%20in%20the%20event%20of%20a%20security%20incident.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20the%20Azure%20Sentinel%20ingestion%20price%20includes%2090%20days%20of%20retention%20for%20free%2C%20the%20option%20of%20keeping%20the%20logs%20for%20longer%20periods%20in%20Azure%20Data%20Explorer%20is%20preferred%20by%20many%20(see%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fusing-azure-data-explorer-for-long-term-retention-of-azure%2Fba-p%2F1883947%22%20target%3D%22_blank%22%3E%3CSPAN%3EUsing%20Azure%20Data%20Explorer%20for%20long%20term%20retention%20of%20Azure%20Sentinel%20logs%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEven%20though%20the%20Azure%20Sentinel%20%2B%20ADX%20solution%20requires%20little%20to%20no%20maintenance%2C%20we%20wanted%20to%20provide%20a%20solution%20for%20our%20customers%20to%20keep%20an%20eye%20on%20the%20number%20of%20events%20and%20overall%20status%20of%20their%20ADX%20clusters%20and%20databases.%26nbsp%3B%3CSPAN%3EFor%20this%20reason%2C%26nbsp%3B%3CSTRONG%3Ewe%20have%20created%20two%20tools%3A%20the%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FWorkbooks%2FADXvsLA.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EADXvsLA%20workbook%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FADX-Health-Playbook%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EADX%20Health%20Playbook%3C%2FA%3E%3C%2FSTRONG%3E.%20The%20workbook%20will%20allow%20you%20to%20have%20a%20look%20at%20the%20number%20of%20logs%20on%20Azure%20Sentinel%20%26amp%3B%20ADX%20and%20the%20overall%20health%20of%20your%20ADX%20cluster.%20The%20playbook%20will%20send%20you%20a%20warning%20if%20an%20unexpected%20delay%20in%20the%20ingestion%20of%20ADX%20is%20detected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2729587%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

AshleyMartin_1-1631035565212.png

Checking the health of your ADX cluster for long-term retention logs (microsoft.com)

More and more Azure Sentinel customers are opting for long-term retention of their logs in Azure Data Explorer (ADX), either due to compliance regulations, or because they still want to be able to perform investigations on their archived logs in the event of a security incident.

As the Azure Sentinel ingestion price includes 90 days of retention for free, the option of keeping the logs for longer periods in Azure Data Explorer is preferred by many (see Using Azure Data Explorer for long term retention of Azure Sentinel logs - Microsoft Tech Community). 

 

Even though the Azure Sentinel + ADX solution requires little to no maintenance, we wanted to provide a solution for our customers to keep an eye on the number of events and overall status of their ADX clusters and databases. For this reason, we have created two tools: the ADXvsLA workbook and the ADX Health Playbook. The workbook will allow you to have a look at the number of logs on Azure Sentinel & ADX and the overall health of your ADX cluster. The playbook will send you a warning if an unexpected delay in the ingestion of ADX is detected.

0 Replies