Microsoft Sentinel health tables reference
This article describes the fields in the SentinelHealth table used for monitoring the health of Microsoft Sentinel resources. With the Microsoft Sentinel health monitoring feature, you can keep tabs on the proper functioning of your SIEM and get information on any health drifts in your environment.
Learn how to query and use the health table for deeper monitoring and visibility of actions in your environment:
- For data connectors
Important
The SentinelHealth data table is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Microsoft Sentinel's health monitoring feature covers different kinds of resources (see the resource types in the SentinelResourceType field in the first table below). Many of the data fields in the following tables apply across resource types, but some have specific applications for each type. The descriptions below will indicate one way or the other.
SentinelHealth table columns schema
The following table describes the columns and data generated in the SentinelHealth data table:
ColumnName | ColumnType | Description |
---|---|---|
TenantId | String | The tenant ID for your Microsoft Sentinel workspace. |
TimeGenerated | Datetime | The time (UTC) at which the health event occurred. |
OperationName | String | The health operation. Possible values depend on the resource type. See Operation names for different resource types for details. |
SentinelResourceId | String | The unique identifier of the resource on which the health event occurred, and its associated Microsoft Sentinel workspace. |
SentinelResourceName | String | The name of the resource (connector, rule, or playbook). |
Status | String | Indicates the overall result of the operation. Possible values depend on the operation name. See Operation names for different resource types for details. |
Description | String | Describes the operation, including extended data as needed. For failures, this can include details of the failure reason. |
Reason | Enum | Shows a basic reason or error code for the failure of the resource. Possible values depend on the resource type. More detailed reasons can be found in the Description field. |
WorkspaceId | String | The workspace GUID on which the health issue occurred. The full Azure Resource Identifier is available in the SentinelResourceID column. |
SentinelResourceType | String | The Microsoft Sentinel resource type being monitored. Possible values: Data connector , Automation rule , Playbook , Analytics rule |
SentinelResourceKind | String | A resource classification within the resource type. - For data connectors, this is the type of connected data source. - For analytics rules, this is the type of rule. |
RecordId | String | A unique identifier for the record that can be shared with the support team for better correlation as needed. |
ExtendedProperties | Dynamic (json) | A JSON bag that varies by the OperationName value and the Status of the event. See Extended properties for details. |
Type | String | SentinelHealth |
Operation names for different resource types
Resource types | Operation names | Statuses |
---|---|---|
Data collectors | Data fetch status change __________________ Data fetch failure summary |
Success Failure _____________ Informational |
Extended properties
Data connectors
For Data fetch status change
events with a success indicator, the bag contains a 'DestinationTable' property to indicate where data from this resource is expected to land. For failures, the contents vary depending on the failure type.
Automation rules
ColumnName | ColumnType | Description |
---|---|---|
ActionsTriggeredSuccessfully | Integer | Number of actions the automation rule successfully triggered. |
IncidentName | String | The resource ID of the Microsoft Sentinel incident on which the rule was triggered. |
IncidentNumber | String | The sequential number of the Microsoft Sentinel incident as shown in the portal. |
TotalActions | Integer | Number of actions configured in this automation rule. |
TriggeredOn | String | Alert or Incident . The object on which the rule was triggered. |
TriggeredPlaybooks | Dynamic (json) | A list of playbooks this automation rule triggered successfully. Each playbook record in the list contains: - RunId: The run ID for this triggering of the Logic Apps workflow - WorkflowId: The unique identifier (full ARM resource ID) of the Logic Apps workflow resource. |
TriggeredWhen | String | Created or Updated . Indicates whether the rule was triggered due to the creation or updating of an incident or alert. |
Playbooks
ColumnName | ColumnType | Description |
---|---|---|
IncidentName | String | The resource ID of the Microsoft Sentinel incident on which the rule was triggered. |
IncidentNumber | String | The sequential number of the Microsoft Sentinel incident as shown in the portal. |
RunId | String | The run ID for this triggering of the Logic Apps workflow. |
TriggeredByName | Dynamic (json) | Information on the identity (user or application) that triggered the playbook. |
TriggeredOn | String | Incident . The object on which the playbook was triggered.(Playbooks using the alert trigger are logged only if they're called by automation rules, so those playbook runs will appear in the TriggeredPlaybooks extended property under automation rule events.) |
Analytics rules
Extended properties for analytics rules reflect certain rule settings.
ColumnName | ColumnType | Description |
---|---|---|
AggregationKind | String | The event grouping setting. AlertPerResult or SingleAlert . |
AlertsGeneratedAmount | Integer | The number of alerts generated by this running of the rule. |
CorrelationId | String | The event correlation ID in GUID format. |
EntitiesDroppedDueToMappingIssuesAmount | Integer | The number of entities dropped due to mapping issues. |
EntitiesGeneratedAmount | Integer | The number of entities generated by this running of the rule. |
Issues | String | |
QueryEndTimeUTC | Datetime | The UTC time the query began to run. |
QueryFrequency | Datetime | Value of the "Run query every" setting (HH:MM:SS). |
QueryPerformanceIndicators | String | |
QueryPeriod | Datetime | Value of the "Lookup data from the last" setting (HH:MM:SS). |
QueryResultAmount | Integer | The number of results captured by the query. The rule will generate an alert if this number exceeds the threshold as defined below. |
QueryStartTimeUTC | Datetime | The UTC time the query completed its run. |
RuleId | String | The rule ID for this analytics rule. |
SuppressionDuration | Time | The rule suppression duration (HH:MM:SS). |
SuppressionEnabled | String | Is rule suppression enabled. True/False . |
TriggerOperator | String | The operator portion of the threshold of results required to generate an alert. |
TriggerThreshold | Integer | The number portion of the threshold of results required to generate an alert. |
TriggerType | String | The type of rule being triggered. Scheduled or NrtRun . |