Search

Monitoring the health of the Microsoft Sentinel Data connectors


Monitoring the health of the Microsoft Sentinel Data connector


Data is sent to the Microsoft Sentinel workspace by configuring the provided data connectors. The Data Connector provides method for connecting log files from various sources (on-premises, other clouds, Azure, etc.) to the Log Analytics workspace for Microsoft Sentinel.


Data connectors are responsible for feeding the data into the Microsoft Sentinel. Its very essential to monitor the health of the data connector. If in case Data connector doesn’t bring data to the Sentinel, then entire Information\Event collection can be impacted.


Microsoft Sentinel provides a way of monitoring the health of the Data connectors. Please follow below steps for configuring health monitoring of the Data connectors.


1) Enable “Health Monitoring” of the Microsoft Sentinel. It allows us to keep an eye on data connector activity and on scheduled analytics rules' operations.

- Go to Settings. Under settings select the tab ‘Settings’.

- Expand the ‘Health monitoring’

- Configure the diagnostic settings.




2) Configure the diagnostic settings. Enable the collection of telemetry for the Data Connectors by configuring the settings


Once these settings are configured. You can see the data in the table “SentinelHealth”. This table contains audit logs for operations performed by Azure Sentinel resources such as Data Connectors, Analytic Rules and more. These logs can be used to monitor the health of your Sentinel resources.



Below listed query can be used for checking the status of the connectors -


SentinelHealth

| where OperationName == 'Data fetch status change'

| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId


Below listed query can be used for fetching the list of the unhealthy data connectors.

SentinelHealth

| where OperationName == 'Data fetch status change'

| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId

| where Status == 'Failure'


Similar kind of queries can be used for configuring the Alerts\Analytical rules for sending out the notifications to the users.




141 views1 comment

Recent Posts

See All