|
Attention: All Microsoft Sentinel features will be officially retired in Azure in China regions on August 18, 2026 per the announcement posted by 21Vianet. This article describes the fields in the SentinelHealth table used for monitoring the health of Microsoft Sentinel resources. With the Microsoft Sentinel health monitoring feature, you can keep tabs on the proper functioning of your SIEM and get information on any health drifts in your environment. Learn how to query and use the health table for deeper monitoring and visibility of actions in your environment: Microsoft Sentinel's health monitoring feature covers different kinds of resources (see the resource types in the SentinelResourceType field in the first table below). Many of the data fields in the following tables apply across resource types, but some have specific applications for each type. The descriptions below will indicate one way or the other. SentinelHealth table columns schemaThe following table describes the columns and data generated in the SentinelHealth data table: ColumnName ColumnType DescriptionTenantId String The tenant ID for your Microsoft Sentinel workspace. TimeGenerated Datetime The time (UTC) at which the health event occurred. OperationName String The health operation. Possible values depend on the resource type. See for details. SentinelResourceId String The unique identifier of the resource on which the health event occurred, and its associated Microsoft Sentinel workspace. SentinelResourceName String The name of the resource (connector, rule, or playbook). Status String Indicates the overall result of the operation. Possible values depend on the operation name. See for details. Description String Describes the operation, including extended data as needed. For failures, this can include details of the failure reason. Reason Enum Shows a basic reason or error code for the failure of the resource. Possible values depend on the resource type. More detailed reasons can be found in the Description field. WorkspaceId String The workspace GUID on which the health issue occurred. The full Azure Resource Identifier is available in the column. SentinelResourceType String The Microsoft Sentinel resource type being monitored. Possible values: Data connector, Automation rule, Playbook, Analytics rule SentinelResourceKind String A resource classification within the resource type. - For data connectors, this is the type of connected data source. - For analytics rules, this is the type of rule. RecordId String A unique identifier for the record that can be shared with the support team for better correlation as needed. ExtendedProperties Dynamic (json) A JSON bag that varies by the value and the of the event. See for details. Type String SentinelHealth Operation names for different resource types Resource types Operation names Statuses Data collectors Data fetch status change __________________ Data fetch failure summary Success Failure _____________ Informational Automation rules Automation rule run Success Partial success Failure Playbooks Playbook was triggered Success Failure Analytics rules Scheduled analytics rule run NRT analytics rule run Success Failure Extended properties Data connectors For Data fetch status change events with a success indicator, the bag contains a 'DestinationTable' property to indicate where data from this resource is expected to land. For failures, the contents vary depending on the failure type. Automation rules ColumnName ColumnType DescriptionActionsTriggeredSuccessfully Integer Number of actions the automation rule successfully triggered. IncidentName String The resource ID of the Microsoft Sentinel incident on which the rule was triggered. IncidentNumber String The sequential number of the Microsoft Sentinel incident as shown in the portal. TotalActions Integer Number of actions configured in this automation rule. TriggeredOn String Alert or Incident. The object on which the rule was triggered. TriggeredPlaybooks Dynamic (json) A list of playbooks this automation rule triggered successfully. Each playbook record in the list contains: - RunId: The run ID for this triggering of the Logic Apps workflow - WorkflowId: The unique identifier (full ARM resource ID) of the Logic Apps workflow resource. TriggeredWhen String Created or Updated. Indicates whether the rule was triggered due to the creation or updating of an incident or alert. Playbooks ColumnName ColumnType Description IncidentName String The resource ID of the Microsoft Sentinel incident on which the rule was triggered. IncidentNumber String The sequential number of the Microsoft Sentinel incident as shown in the portal. RunId String The run ID for this triggering of the Logic Apps workflow. TriggeredByName Dynamic (json) Information on the identity (user or application) that triggered the playbook. TriggeredOn String Incident. The object on which the playbook was triggered. (Playbooks using the alert trigger are logged only if they're called by automation rules, so those playbook runs will appear in the TriggeredPlaybooks extended property under automation rule events.) Analytics rules Extended properties for analytics rules reflect certain rule settings. ColumnName ColumnType DescriptionAggregationKind String The event grouping setting. AlertPerResult or SingleAlert. AlertsGeneratedAmount Integer The number of alerts generated by this running of the rule. CorrelationId String The event correlation ID in GUID format. EntitiesDroppedDueToMappingIssuesAmount Integer The number of entities dropped due to mapping issues. EntitiesGeneratedAmount Integer The number of entities generated by this running of the rule. Issues String QueryEndTimeUTC Datetime The UTC time the query began to run. QueryFrequency Datetime Value of the "Run query every" setting (HH:MM:SS). QueryPerformanceIndicators String QueryPeriod Datetime Value of the "Lookup data from the last" setting (HH:MM:SS). QueryResultAmount Integer The number of results captured by the query. The rule will generate an alert if this number exceeds the threshold as defined below. QueryStartTimeUTC Datetime The UTC time the query completed its run. RuleId String The rule ID for this analytics rule. SuppressionDuration Time The rule suppression duration (HH:MM:SS). SuppressionEnabled String Is rule suppression enabled. True/False. TriggerOperator String The operator portion of the threshold of results required to generate an alert. TriggerThreshold Integer The number portion of the threshold of results required to generate an alert. TriggerType String The type of rule being triggered. Scheduled or NrtRun. Next steps (责任编辑:) |