We’ve released into public preview a new feature for Microsoft Sentinel that gives customers tools to enable monitoring of the health of Microsoft Sentinel operations like data connector activity and on scheduled analytics rules’ operation.
Enabling this new feature requires a manual operation. To enable Health Monitoring, do this:
[1] In the Microsoft Sentinel console, go to Settings in the left-hand menu, then access the Settings tab at top.
[2] Locate the new Health Monitoring section on the Settings page and click the Configure Diagnostic Settings button.
[3] On the Diagnostic Settings page, click to Add diagnostic setting. Once the display changes, create your new Diagnostic Setting by giving it a memorable name, choosing the DataConnectors category, and sending it to the same Log Analytics workspace as your Microsoft Sentinel environment. Save the configuration.
After Health Monitoring is configured, a new SentinelHealth table will start to populate with the following data columns:
- TenantId
- TimeGenerated
- OperationName
- SentinelResourceId
- SentinelResourceName
- Status Description
- Reason
- WorkspaceId
- SentinelResourceType
- SentinelResourceKind
- RecordId
- ExtendedProperties
- SourceSystem
- Type
So, far, only a handful of Data Connectors are supported. Those are:
- Amazon Web Services (CloudTrail)
- Dynamics 365
- Office 365
- Office ATP
- Threat Intelligence – TAXII
- Threat Intelligence Platforms
The docs for this feature are also already available, which includes context about the Data Connector Workbook. See: Monitor the health of your data connectors
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]
[Learn KQL with the Must Learn KQL series and book]
You must log in to post a comment.