Query Details
Enabled Data Connectors
Query
//Ensure Health Monitoring is enabled SentinelHealth | where TimeGenerated > ago(7d) | where SentinelResourceType contains "Data connector" | where OperationName == "Data fetch status change" | summarize arg_max(TimeGenerated, *) by SentinelResourceName | where Status == "Success" | project SentinelResourceName, Status, TimeGenerated, Description, ExtendedProperties
Explanation
This query is designed to check if health monitoring is enabled for data connectors in Microsoft Sentinel over the past week. Here's a simple breakdown of what it does:
-
Data Source: It starts by looking at the
SentinelHealthtable, which contains health-related information for Microsoft Sentinel resources. -
Time Filter: It filters the data to only include records from the last 7 days (
TimeGenerated > ago(7d)). -
Resource Type Filter: It further narrows down the data to entries related to "Data connector" resources (
SentinelResourceType contains "Data connector"). -
Operation Filter: It looks for operations where the data fetch status has changed (
OperationName == "Data fetch status change"). -
Latest Status: It summarizes the data to get the most recent entry for each data connector (
arg_max(TimeGenerated, *) by SentinelResourceName). -
Success Filter: It only keeps records where the status of the data fetch operation is "Success" (
where Status == "Success"). -
Projection: Finally, it selects and displays specific columns: the name of the data connector (
SentinelResourceName), the status (Status), the time of the status change (TimeGenerated), a description (Description), and any additional properties (ExtendedProperties).
In summary, this query checks for successful data fetch status changes for data connectors in Microsoft Sentinel within the past week, showing the most recent successful status for each connector.
Details
Rod Trent
Released: July 28, 2025
Tables
Keywords
Operators