Edit

Auditing and health monitoring in Microsoft Sentinel

  • Article

Microsoft Sentinel is a critical service for advancing and protecting the security of your organization’s technological and information assets, so you’ll want to rest assured that it’s always running smoothly and free of interference. You’ll want to be able to make sure that the service's many moving parts are always functioning as intended and that the service isn't being manipulated by unauthorized actions, whether by internal users or otherwise. You also might like to configure notifications of health drifts or unauthorized actions to be sent to relevant stakeholders who can respond or approve a response. For example, you can set conditions to trigger the sending of emails or Microsoft Teams messages to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.

This article describes how Microsoft Sentinel’s health monitoring and auditing features let you monitor the activity of some of the service’s key resources and inspect logs of user actions within the service.

Description

This section describes the function and use cases of the health monitoring and auditing components.

Data storage

Health and audit data are collected in two tables in your Log Analytics workspace:

  • Health data is collected in the SentinelHealth table.
  • Audit data is collected in the SentinelAudit table.

The prevalent way you'll use this data is by querying these tables.

For best results, you should build your queries on the pre-built functions on these tables, _SentinelHealth() and _SentinelAudit(), instead of querying the tables directly. These functions ensure the maintenance of your queries' backward compatibility in the event of changes being made to the schema of the tables themselves.

Important

  • The SentinelHealth and SentinelAudit data tables are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

  • When monitoring the health of playbooks, you'll also need to capture Azure Logic Apps diagnostic events from your playbooks, in addition to the SentinelHealth data, in order to get the full picture of your playbook activity. Azure Logic Apps diagnostic data is collected in the AzureDiagnostics table in your workspace.

Use cases

Health

Is the data connector running correctly?

Is the data connector receiving data? For example, if you've instructed Microsoft Sentinel to run a query every 5 minutes, you want to check whether that query is being performed, how it's performing, and whether there are any risks or vulnerabilities related to the query.

Did an automation rule run as expected?

Did your automation rule run when it was supposed to—that is, when its conditions were met? Did all the actions in the automation rule run successfully?

Did an analytics rule run as expected?

Did your analytics rule run when it was supposed to, and did it generate results? If you're expecting to see particular incidents in your queue but you don't, you want to know whether the rule ran but didn't find anything (or enough things), or didn't run at all.

Audit

Were unauthorized changes made to an analytics rule?

Was something changed in the rule? You didn't get the results you expected from your analytics rule, and it didn't have any health issues. You want to see if any unplanned changes were made to the rule, and if so, what changes were made, by whom, from where, and when.

How Microsoft Sentinel presents health and audit data

To start collecting health and audit data, you need to enable health and audit monitoring in the Microsoft Sentinel settings. Then you can dive into the health and audit data that Microsoft Sentinel collects:

Next steps

See also: