You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/get-visibility.md
+21-5Lines changed: 21 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,13 +3,15 @@ title: Visualize collected data
3
3
description: Learn how to quickly view and monitor what's happening across your environment by using Microsoft Sentinel.
4
4
author: yelevin
5
5
ms.topic: how-to
6
-
ms.date: 06/07/2023
6
+
ms.date: 05/19/2024
7
7
ms.author: yelevin
8
8
---
9
9
10
10
# Visualize collected data
11
11
12
-
In this article, you will learn how to quickly be able to view and monitor what's happening across your environment using Microsoft Sentinel. After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use workbook templates or create a new workbook easily, from scratch or based on an existing workbook.
12
+
In this article, you will learn how to quickly be able to view and monitor what's happening across your environment using Microsoft Sentinel.
13
+
14
+
After you connected your data sources to Microsoft Sentinel, you get instant visualization and analysis of data so that you can know what's happening across all your connected data sources. Microsoft Sentinel gives you workbooks that provide you with the full power of tools already available in Azure as well as tables and charts that are built in to provide you with analytics for your logs and queries. You can either use workbook templates or create a new workbook easily, from scratch or based on an existing workbook.
13
15
14
16
## Get visualization
15
17
@@ -38,10 +40,24 @@ You see different types of automation data under **Automation**.
38
40
39
41
:::image type="content" source="./media/qs-get-visibility/automation.png" alt-text="Screenshot of the Automation section in the Microsoft Sentinel Overview page." lightbox="./media/qs-get-visibility/automation.png":::
40
42
41
-
- At the top, you see a summary of the automation rules activity: Incidents closed by automation, the time the automation saved, and related playbooks health.
43
+
- At the top, you see a summary of the automation rules activity: Incidents closed by automation, the time the automation saved, and related playbooks health.
44
+
45
+
Microsoft Sentinel calculates the time saved by automation by finding the average time that a single automation saved, multiplied by the number of incidents that were resolved by automation. The formula is as follows:
46
+
47
+
`(avgWithout - avgWith) * resolvedByAutomation`
48
+
49
+
Where:
50
+
51
+
-**avgWithout** is the average time it takes for an incident to be resolved without automation.
52
+
-**avgWith** is the average time it takes for an incident to be resolved by automation.
53
+
-**resolvedByAutomation** is the number of incidents that are resolved by automation.
54
+
55
+
42
56
- Below the summary, a graph summarizes the numbers of actions performed by automation, by type of action.
57
+
43
58
- At the bottom, you can find a count of the active automation rules with a link to the automation blade.
44
59
60
+
45
61
### View status of data records, data collectors, and threat intelligence
46
62
47
63
You see different types of data on data records, data collectors, and threat intelligence under **Data**.
@@ -68,10 +84,10 @@ Workbook templates provide integrated data from your connected data sources to l
68
84
2. Search for a specific workbook to see the whole list and description of what each offers.
69
85
3. Assuming you use Microsoft Entra ID, to get up and running with Microsoft Sentinel, we recommend that you install the Microsoft Entra solution for Microsoft Sentinel and use the following workbooks:
70
86
-**Microsoft Entra ID**: Use either or both of the following:
71
-
-**Microsoft Entra sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbooks provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins.
87
+
-**Microsoft Entra sign-ins** analyzes sign-ins over time to see if there are anomalies. This workbook provides failed sign-ins by applications, devices, and locations so that you can notice, at a glance if something unusual happens. Pay attention to multiple failed sign-ins.
72
88
-**Microsoft Entra audit logs** analyzes admin activities, such as changes in users (add, remove, etc.), group creation, and modifications.
73
89
74
-
- Install the appropriate solution to add a workbook for your firewall. For example, install the Palo Alto firewall solution for Microsoft Sentinel to add the Palo Alto workbooks. The workbooks analyze your firewall traffic, providing you with correlations between your firewall data and threat events, and highlights suspicious events across entities. Workbooks provide you with information about trends in your traffic and let you drill down into and filter results.
90
+
- Install the appropriate solution to add a workbook for your firewall. For example, install the Palo Alto firewall solution for Microsoft Sentinel to add the Palo Alto workbooks. The workbooks analyze your firewall traffic, providing you with correlations between your firewall data and threat events, and highlight suspicious events across entities. Workbooks provide you with information about trends in your traffic and let you drill down into and filter results.
Copy file name to clipboardExpand all lines: articles/sentinel/health-audit.md
+20-20Lines changed: 20 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,42 +1,44 @@
1
1
---
2
2
title: Auditing and health monitoring in Microsoft Sentinel
3
3
description: Learn about the Microsoft Sentinel health and audit feature, which monitors service health drifts and user actions.
4
-
author: limwainstein
5
-
ms.author: lwainstein
4
+
author: batamig
5
+
ms.author: bagol
6
6
ms.topic: conceptual
7
-
ms.date: 01/17/2023
7
+
ms.date: 05/20/2024
8
8
---
9
9
10
10
# Auditing and health monitoring in Microsoft Sentinel
11
11
12
-
Microsoft Sentinel is a critical service for advancing and protecting the security of your organization’s technological and information assets, so you’ll want to rest assured that it’s always running smoothly and free of interference. You’ll want to be able to make sure that the service's many moving parts are always functioning as intended and that the service isn't being manipulated by unauthorized actions, whether by internal users or otherwise. You also might like to configure notifications of health drifts or unauthorized actions to be sent to relevant stakeholders who can respond or approve a response. For example, you can set conditions to trigger the sending of emails or Microsoft Teams messages to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.
12
+
Microsoft Sentinel is a critical service for advancing and protecting the security of your organization’s technological and information assets, so you want to be sure that it's always running smoothly and free of interference.
13
+
14
+
You want to verify that the service's many moving parts are always functioning as intended, and it isn't being manipulated by unauthorized actions, whether by internal users or otherwise. You may also like to configure notifications of health drifts or unauthorized actions to be sent to relevant stakeholders who can respond or approve a response. For example, you can set conditions to trigger the sending of emails or Microsoft Teams messages to operations teams, managers, or officers, launch new tickets in your ticketing system, and so on.
13
15
14
16
This article describes how Microsoft Sentinel’s health monitoring and auditing features let you monitor the activity of some of the service’s key resources and inspect logs of user actions within the service.
15
17
16
-
## Description
17
18
18
-
This section describes the function and use cases of the health monitoring and auditing components.
19
+
## Health and audit data storage
20
+
21
+
Health and audit data are collected in two tables in your Log Analytics workspace: *SentinelHealth* and *SentinelAudit*
19
22
20
-
### Data storage
23
+
**Audit data** is collected in the *SentinelAudit* table.
21
24
22
-
Health and audit data are collected in two tables in your Log Analytics workspace:
25
+
**Health data** is collected in the *SentinelHealth* table, which captures events that record each time an automation rule is run and the end results of those runs. The *SentinelHealth* table includes:
23
26
24
-
-Health data is collected in the *SentinelHealth* table.
25
-
-Audit data is collected in the *SentinelAudit* table.
27
+
-Whether actions launched in the rule succeed or fail, and the playbooks called by the rule.
28
+
-Events that record the on-demand (manual or API-based) triggering of playbooks, including the identities that triggered them, and the end results of those runs
26
29
27
-
The prevalent way you'll use this data is by querying these tables.
30
+
The *SentinelHealth* table doesn't include a record of the execution of a playbook's contents, only whether the playbook was launched successfully. A log of the actions taken within a playbook, which are Logic Apps workflows, are listed in the *AzureDiagnostics* table. The *AzureDiagnostics* provides you with a complete picture of your automation health when used in tandem with the *SentinelHealth* data.
28
31
29
-
For best results, you should build your queries on the **pre-built functions** on these tables, ***_SentinelHealth()*** and ***_SentinelAudit()***, instead of querying the tables directly. These functions ensure the maintenance of your queries' backward compatibility in the event of changes being made to the schema of the tables themselves.
32
+
The most common way you'll use this data is by querying these tables. For best results, build your queries on the **pre-built functions** on these tables, ***_SentinelHealth()*** and ***_SentinelAudit()***, instead of querying the tables directly. These functions ensure the maintenance of your queries' backward compatibility in the event of changes being made to the schema of the tables themselves.
30
33
31
34
> [!IMPORTANT]
32
35
>
33
-
> - The *SentinelHealth* and *SentinelAudit* data tables are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
34
-
>
35
-
> - When monitoring the health of **playbooks**, you'll also need to capture Azure Logic Apps diagnostic events from your playbooks, in addition to the *SentinelHealth* data, in order to get the full picture of your playbook activity. Azure Logic Apps diagnostic data is collected in the *AzureDiagnostics* table in your workspace.
36
+
> The *SentinelHealth* and *SentinelAudit* data tables are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
37
+
>
36
38
37
-
### Use cases
39
+
### Questions to verify service health and audit data
38
40
39
-
#### Health
41
+
Use the following questions to guide your monitoring of Microsoft Sentinel's health and audit data:
40
42
41
43
**Is the data connector running correctly?**
42
44
@@ -50,14 +52,12 @@ For best results, you should build your queries on the **pre-built functions** o
50
52
51
53
[Did your analytics rule run when it was supposed to, and did it generate results](monitor-analytics-rule-integrity.md)? If you're expecting to see particular incidents in your queue but you don't, you want to know whether the rule ran but didn't find anything (or enough things), or didn't run at all.
52
54
53
-
#### Audit
54
-
55
55
**Were unauthorized changes made to an analytics rule?**
56
56
57
57
[Was something changed in the rule](monitor-analytics-rule-integrity.md)? You didn't get the results you expected from your analytics rule, and it didn't have any health issues. You want to see if any unplanned changes were made to the rule, and if so, what changes were made, by whom, from where, and when.
58
58
59
59
60
-
## How Microsoft Sentinel presents health and audit data
60
+
## Health and audit monitoring flow
61
61
62
62
To start collecting health and audit data, you need to [enable health and audit monitoring](enable-monitoring.md) in the Microsoft Sentinel settings. Then you can dive into the health and audit data that Microsoft Sentinel collects:
Copy file name to clipboardExpand all lines: articles/sentinel/monitor-automation-health.md
+25-38Lines changed: 25 additions & 38 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
---
2
2
title: Monitor the health of your Microsoft Sentinel automation rules and playbooks
3
3
description: Use the SentinelHealth and AzureDiagnostics data tables to keep track of your automation rules' and playbooks' execution and performance.
4
-
author: yelevin
5
-
ms.author: yelevin
4
+
author: batamig
5
+
ms.author: bagol
6
6
ms.topic: how-to
7
-
ms.date: 11/09/2022
7
+
ms.date: 05/20/2024
8
8
ms.service: microsoft-sentinel
9
9
---
10
10
@@ -14,33 +14,11 @@ To ensure proper functioning and performance of your security orchestration, aut
14
14
15
15
Set up notifications of health events for relevant stakeholders, who can then take action. For example, define and send email or Microsoft Teams messages, create new tickets in your ticketing system, and so on.
16
16
17
-
This article describes how to use Microsoft Sentinel's [health monitoring features](health-audit.md) to keep track of your automation rules and playbooks' health from within Microsoft Sentinel.
18
-
19
-
## Summary
20
-
21
-
22
-
23
-
24
-
-**Microsoft Sentinel automation health logs:**
25
-
26
-
- This log captures events that record the running of automation rules, and the end result of these runnings - if they succeeded or failed, and if they failed, why. The log records the collective success or failure of the launch of the actions in the rule, and it also lists the playbooks called by the rule.
27
-
- The log also captures events that record the on-demand (manual or API-based) triggering of playbooks, including the **identities that triggered them**, whether they succeeded or failed, and if they failed, why.
28
-
- This log *does not include* a record of the execution of the contents of a playbook, only of the success or failure of the launching of the playbook. For a log of the actions taken within a playbook, see the next list below.
29
-
- These logs are collected in the *SentinelHealth* table in Log Analytics.
30
-
31
-
> [!IMPORTANT]
32
-
>
33
-
> The *SentinelHealth* data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
34
-
35
-
-**Azure Logic Apps diagnostics logs:**
36
-
37
-
- These logs capture the results of the running of playbooks (also known as Logic Apps workflows) and the actions in them.
38
-
- These logs provide you with a complete picture of your automation health when used in tandem with the automation health logs.
39
-
- These logs are collected in the *AzureDiagnostics* table in Log Analytics.
17
+
This article describes how to use Microsoft Sentinel's health monitoring features to keep track of your automation rules and playbooks's health from within Microsoft Sentinel. For more information, see [Auditing and health monitoring in Microsoft Sentinel](health-audit.md).
40
18
41
19
## Use the SentinelHealth data table (Public preview)
42
20
43
-
To get automation health data from the *SentinelHealth* data table, you must first turn on the Microsoft Sentinel health feature for your workspace. For more information, see [Turn on health monitoring for Microsoft Sentinel](enable-monitoring.md).
21
+
To get automation health data from the *SentinelHealth* data table, first turn on the Microsoft Sentinel health feature for your workspace. For more information, see [Turn on health monitoring for Microsoft Sentinel](enable-monitoring.md).
44
22
45
23
Once the health feature is turned on, the *SentinelHealth* data table is created at the first success or failure event generated for your automation rules and playbooks.
46
24
@@ -66,21 +44,27 @@ For more information, see [SentinelHealth table columns schema](health-table-ref
66
44
67
45
### Statuses, errors and suggested steps
68
46
69
-
For **Automation rule run**, you may see the following statuses:
70
-
- Success: rule executed successfully, triggering all actions.
71
-
- Partial success: rule executed and triggered at least one action, but some actions failed.
72
-
- Failure: automation rule did not run any action due to one of the following reasons:
47
+
For the **Automation rule run** status, you may see the following statuses:
48
+
49
+
- **Success**: rule executed successfully, triggering all actions.
50
+
- **Partial success**: rule executed and triggered at least one action, but some actions failed.
51
+
- *Failure*: automation rule did not run any action due to one of the following reasons:
52
+
73
53
- Conditions evaluation failed.
74
54
- Conditions met, but the first action failed.
75
55
76
-
For **Playbook was triggered**, you may see the following statuses:
77
-
- Success: playbook was triggered successfully.
78
-
- Failure: playbook could not be triggered.
56
+
For the **Playbook was triggered** status, you may see the following statuses:
57
+
58
+
- **Success**: playbook was triggered successfully.
59
+
- **Failure**: playbook could not be triggered.
60
+
79
61
> [!NOTE]
80
62
>
81
-
> "Success" means only that the automation rule successfully triggered a playbook. It doesn't tell you when the playbook started or ended, the results of the actions in the playbook, or the final result of the playbook. To find this information, query the Logic Apps diagnostics logs (see the instructions later in this article).
63
+
> **Success** means only that the automation rule successfully triggered a playbook. It doesn't tell you when the playbook started or ended, the results of the actions in the playbook, or the final result of the playbook.
64
+
>
65
+
> To find this information, query the Logic Apps diagnostics logs. For more information, see [Get the complete automation picture](#get-the-complete-automation-picture).
@@ -106,14 +90,14 @@ For **Playbook was triggered**, you may see the following statuses:
106
90
107
91
## Get the complete automation picture
108
92
109
-
Microsoft Sentinel's health monitoring table allows you to track the triggering of playbooks, but to monitor what happens inside your playbooks and their results when they're run, you must also [turn on diagnostics in Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md) to ingest the following events to the *AzureDiagnostics* table:
93
+
Microsoft Sentinel's health monitoring table allows you to track when playbooks are triggered, but to monitor what happens inside your playbooks and their results when they're run, you must also [turn on diagnostics in Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md) to ingest the following events to the *AzureDiagnostics* table:
110
94
111
95
- {Action name} started
112
96
- {Action name} ended
113
97
- Workflow (playbook) started
114
98
- Workflow (playbook) ended
115
99
116
-
These added events will give you additional insights into the actions being taken in your playbooks.
100
+
These added events provide additional insights into the actions being taken in your playbooks.
117
101
118
102
### Turn on Azure Logic Apps diagnostics
119
103
@@ -149,11 +133,14 @@ SentinelHealth
149
133
## Use the health monitoring workbook
150
134
151
135
The **Automation health** workbook helps you visualize your health data, as well as the correlation between the two types of logs that we just mentioned. The workbook includes the following displays:
136
+
152
137
- Automation rule health and details
153
138
- Playbook trigger health and details
154
139
- Playbook runs health and details (requires Azure Diagnostic enabled on the Playbook level)
155
140
- Automation details per incident
156
141
142
+
For example:
143
+
157
144
:::image type="content" source="media/monitor-automation-health/automation-health-monitoring-workbook.png" alt-text="Screenshot shows the opening panel of the automation health workbook.":::
158
145
159
146
Select the **Playbooks run by Automation Rules** tab to see playbook activity.
0 commit comments