Monitor the health of your data connectors with this Microsoft Sentinel workbook
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
The Data connectors health monitoring workbook allows you to keep track of your data connectors' health, connectivity, and performance, from within Microsoft Sentinel. The workbook provides additional monitors, detects anomalies, and gives insight regarding the workspace’s data ingestion status. You can use the workbook’s logic to monitor the general health of the ingested data, and to build custom views and rule-based alerts.
Use the health monitoring workbook
From the Microsoft Sentinel portal, select Workbooks from the Threat management menu.
In the Workbooks gallery, enter health in the search bar, and select Data collection health monitoring from among the results.
Select View template to use the workbook as is, or select Save to create an editable copy of the workbook. When the copy is created, select View saved workbook.
Once in the workbook, first select the subscription and workspace you wish to view, then define the TimeRange to filter the data according to your needs. Use the Show help toggle to display in-place explanation of the workbook.
There are three tabbed sections in this workbook:
The Overview tab shows the general status of data ingestion in the selected workspace: volume measures, EPS rates, and time last log received.
The Data collection anomalies tab will help you to detect anomalies in the data collection process, by table and data source. Each tab presents anomalies for a particular table (the General tab includes a collection of tables). The anomalies are calculated using the series_decompose_anomalies() function that returns an anomaly score. Learn more about this function. Set the following parameters for the function to evaluate:
AnomaliesTimeRange: This time picker applies only to the data collection anomalies view.
SampleInterval: The time interval in which data is sampled in the given time range. The anomaly score is calculated only on the last interval's data.
PositiveAlertThreshold: This value defines the positive anomaly score threshold. It accepts decimal values.
NegativeAlertThreshold: This value defines the negative anomaly score threshold. It accepts decimal values.
The Agent info tab shows you information about the health of the Log Analytics agents installed on your various machines, whether Azure VM, other cloud VM, on-premises VM, or physical. You can monitor the following:
Heartbeat status and latency
Available memory and disk space
In this section you must select the tab that describes your machines’ environment: choose the Azure-managed machines tab if you want to view only the Azure Arc-managed machines; choose the All machines tab to view both managed and non-Azure machines with the Log Analytics agent installed.