Microsoft Sentinel health tables reference

This article describes the fields in the SentinelHealth table used for monitoring the health of Microsoft Sentinel resources. With the Microsoft Sentinel health monitoring feature, you can keep tabs on the proper functioning of your SIEM and get information on any health drifts in your environment.

Learn how to query and use the health table for deeper monitoring and visibility of actions in your environment:

Important

The SentinelHealth data table is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Microsoft Sentinel's health monitoring feature covers different kinds of resources (see the resource types in the SentinelResourceType field in the first table below). Many of the data fields in the following tables apply across resource types, but some have specific applications for each type. The descriptions below will indicate one way or the other.

SentinelHealth table columns schema

The following table describes the columns and data generated in the SentinelHealth data table:

ColumnName ColumnType Description
TenantId String The tenant ID for your Microsoft Sentinel workspace.
TimeGenerated Datetime The time (UTC) at which the health event occurred.
OperationName String The health operation. Possible values depend on the resource type.
See Operation names for different resource types for details.
SentinelResourceId String The unique identifier of the resource on which the health event occurred, and its associated Microsoft Sentinel workspace.
SentinelResourceName String The name of the resource (connector, rule, or playbook).
Status String Indicates the overall result of the operation. Possible values depend on the operation name.
See Operation names for different resource types for details.
Description String Describes the operation, including extended data as needed. For failures, this can include details of the failure reason.
Reason Enum Shows a basic reason or error code for the failure of the resource. Possible values depend on the resource type. More detailed reasons can be found in the Description field.
WorkspaceId String The workspace GUID on which the health issue occurred. The full Azure Resource Identifier is available in the SentinelResourceID column.
SentinelResourceType String The Microsoft Sentinel resource type being monitored.
Possible values: Data connector, Automation rule, Playbook, Analytics rule
SentinelResourceKind String A resource classification within the resource type.
- For data connectors, this is the type of connected data source.
- For analytics rules, this is the type of rule.
RecordId String A unique identifier for the record that can be shared with the support team for better correlation as needed.
ExtendedProperties Dynamic (json) A JSON bag that varies by the OperationName value and the Status of the event.
See Extended properties for details.
Type String SentinelHealth

Operation names for different resource types

Resource types Operation names Statuses
Data collectors Data fetch status change

__________________
Data fetch failure summary
Success
Failure
_____________
Informational

Extended properties

Data connectors

For Data fetch status change events with a success indicator, the bag contains a 'DestinationTable' property to indicate where data from this resource is expected to land. For failures, the contents vary depending on the failure type.

Automation rules

ColumnName ColumnType Description
ActionsTriggeredSuccessfully Integer Number of actions the automation rule successfully triggered.
IncidentName String The resource ID of the Microsoft Sentinel incident on which the rule was triggered.
IncidentNumber String The sequential number of the Microsoft Sentinel incident as shown in the portal.
TotalActions Integer Number of actions configured in this automation rule.
TriggeredOn String Alert or Incident. The object on which the rule was triggered.
TriggeredPlaybooks Dynamic (json) A list of playbooks this automation rule triggered successfully.

Each playbook record in the list contains:
- RunId: The run ID for this triggering of the Logic Apps workflow
- WorkflowId: The unique identifier (full ARM resource ID) of the Logic Apps workflow resource.
TriggeredWhen String Created or Updated. Indicates whether the rule was triggered due to the creation or updating of an incident or alert.

Playbooks

ColumnName ColumnType Description
IncidentName String The resource ID of the Microsoft Sentinel incident on which the rule was triggered.
IncidentNumber String The sequential number of the Microsoft Sentinel incident as shown in the portal.
RunId String The run ID for this triggering of the Logic Apps workflow.
TriggeredByName Dynamic (json) Information on the identity (user or application) that triggered the playbook.
TriggeredOn String Incident. The object on which the playbook was triggered.
(Playbooks using the alert trigger are logged only if they're called by automation rules, so those playbook runs will appear in the TriggeredPlaybooks extended property under automation rule events.)

Analytics rules

Extended properties for analytics rules reflect certain rule settings.

ColumnName ColumnType Description
AggregationKind String The event grouping setting. AlertPerResult or SingleAlert.
AlertsGeneratedAmount Integer The number of alerts generated by this running of the rule.
CorrelationId String The event correlation ID in GUID format.
EntitiesDroppedDueToMappingIssuesAmount Integer The number of entities dropped due to mapping issues.
EntitiesGeneratedAmount Integer The number of entities generated by this running of the rule.
Issues String
QueryEndTimeUTC Datetime The UTC time the query began to run.
QueryFrequency Datetime Value of the "Run query every" setting (HH:MM:SS).
QueryPerformanceIndicators String
QueryPeriod Datetime Value of the "Lookup data from the last" setting (HH:MM:SS).
QueryResultAmount Integer The number of results captured by the query.
The rule will generate an alert if this number exceeds the threshold as defined below.
QueryStartTimeUTC Datetime The UTC time the query completed its run.
RuleId String The rule ID for this analytics rule.
SuppressionDuration Time The rule suppression duration (HH:MM:SS).
SuppressionEnabled String Is rule suppression enabled. True/False.
TriggerOperator String The operator portion of the threshold of results required to generate an alert.
TriggerThreshold Integer The number portion of the threshold of results required to generate an alert.
TriggerType String The type of rule being triggered. Scheduled or NrtRun.

Next steps