Query Details
Connector Failures
Query
//Detect latest failure events per connector
SentinelHealth
| where TimeGenerated > ago(3d)
| where OperationName == 'Data fetch status change'
| where Status in ('Success', 'Failure')
| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId
| where Status == 'Failure'
Explanation
This query is looking for the latest failure events per connector in the SentinelHealth table. It filters the events to those that occurred within the last 3 days and have the operation name 'Data fetch status change'. It then summarizes the results by the SentinelResourceName and SentinelResourceId, keeping only the events with the latest TimeGenerated value. Finally, it filters the results to only include events with a status of 'Failure'.
Details
Rod Trent
Released: July 18, 2023
Tables
SentinelHealth
Keywords
Detect,Failure,Events,Connector
Operators
whereago==insummarizearg_maxby