Query Details
Unhealthy Connectors
Query
SentinelHealth | where OperationName == 'Data fetch status change' | summarize arg_max(TimeGenerated, *) by SentinelResourceId, SentinelResourceKind, SentinelResourceName | where Status == "Failure"
Explanation
This query is searching for a specific operation called "Data fetch status change" in the SentinelHealth table. It then groups the results by the resource ID, resource kind, and resource name, and selects the latest record for each group. Finally, it filters the results to only show records where the status is "Failure".
Details
Rod Trent
Released: June 15, 2023
Tables
SentinelHealth
Keywords
SentinelHealth,OperationName,Data,TimeGenerated,SentinelResourceId,SentinelResourceKind,SentinelResourceName,Status,Failure
Operators
| where=='Data fetch status change'
| summarizearg_max(TimeGenerated*)
| bySentinelResourceIdSentinelResourceKindSentinelResourceName
| where=="Failure"