Azure Sentinel Heartbeat Monitor

Question

I have an Azure Hybrid environment that has about 60 servers. All with the Azure Monitoring Agent on them.

My knowledge of KQL is basic so I have an extremely basic heartbeat monitor setup in Sentinel. It checks every 5 minutes and looks back over the last 5 minutes to see if all the servers have checked in. If not, it sends an email. So if a server does not check in for 20 minutes, there are 4 emails.

Ideally, what I would like to have is a query that would, when run, would send the 5 minute alert, but also check to see if the 5 minute alert was already sent, if so, then not send an alert until 15 minutes, then again at 30 minutes. I'm thinking that I will need more than one alert to accomplish this.

My question is, what is it that I need to looking into to create this more advanced query? Is there a certain set of commands within KQL that I should focus on? I'm new to KQL, so I know what I want to accomplish, I just don't know what tools I need to be searching for to help me create it.

Thanks in advance for the help!

Answer 1

You would need to look at a Playbook for this. Playbooks are Azure Logic Apps. Logic Apps can be configured to periodically run your KQL and send the alert. You will also need some sort of storage mechanism like Azure Table Storage to keep track of the last time the alert was send then you can do you datetime calculation to see if the alert needs to be raised or suppressed until the 15 minute mark.

See more details on Playbooks here:

https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks