How to check the azure sentinel health for all the workspace in my organization?

Avinash Bisoi 0 Reputation points
2024-12-20T09:36:28.5433333+00:00

Can someone help on how to check the sentinel status across all the workspace in organization?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,195 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Clive Watson 6,751 Reputation points MVP
    2024-12-20T10:13:05.7033333+00:00

    Hello, What status do you need to check for there are lots of things you could monitor for status?

    You could start with my "Workspace Usage" Workbook in the Content Hub, its been there many years to give details of Workspaces and Sentinel config/health.
    There are many tabs of data to look at, the Sentinel Tab shows a summary of all workspaces in the Subscription selected (as one example, the "Regular Checks" tabs might also be useful as will the "Workspace Info" data):
    User's image

    If you have "Sentinel Health" enabled then you also have this source to look at and guide you:
    https://learn.microsoft.com/en-us/azure/sentinel/health-audit

    0 comments No comments

  2. Clive Watson 6,751 Reputation points MVP
    2024-12-20T14:32:03.1133333+00:00

    The fast way is to use Azure Resource Graph (ARG), go to the 'Azure Resource Graph Explorer' in the Azure portal:

    resources
    | where type =~ 'microsoft.operationalinsights/workspaces'
    | extend customerID = trim(' ', tostring(properties.customerId))
    | project id, customerID, name=tolower(name), type_='Log Analytics', subscriptionId
    |join kind=leftouter 
    (
    	resources
    	// Just show Workspaces that have Sentinel enabled
    	| where type =~ "microsoft.operationsmanagement/solutions"
    	| where name has "SecurityInsights"
    	| parse name with * '(' s_workspace ')'*
    	| project name=tolower(s_workspace), type_='Microsoft Sentinel', subscriptionId
    ) on name
    | project-away name1, subscriptionId1
    | project-rename Workspace=type_, MicrosoftSentinel=type_1
    | order by ['MicrosoftSentinel'] desc
    

    You will then get a list - any Workspace that doesn't have the words "MicrosoftSentinel" wont have Sentinel enabled. Just remember Log Analytics is enabled for Sentinel as well. You can run parts of the query to get the lists separately if required.

    User's image

    Don't worry, when you run the KQL, you'll see the workspace name and Subscription information as well as the reduced data I've shown .

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.