▲ 0 r/AZURE
Detecting log ingestion dropouts per server in Sentinel
We’re an MSSP using Azure Lighthouse to monitor many Microsoft Sentinel workspaces.
We’re trying to improve how we detect when a server stops sending logs to Sentinel, and ideally tell the difference between:
- a temporary ingestion drop, and
- a real issue (agent/DCR/connectivity).
Today we use a scheduled query checking for events over the last 2 hours, which triggers a ticket and customer notification. It works, but creates noise and isn’t very precise.
How are others handling this?
- Better KQL patterns or baselining?
- Using AMA / Arc signals instead of raw log presence?
- Grace periods to avoid false positives?
- Sentinel-native vs Logic Apps / external automation?
Interested in real-world approaches that scale across many workspaces.
Thanks!
u/Historical-Ear7543 — 4 hours ago