Merge pull request #169317 from batamig/connector-health

ttorble · web-flow · commit a797da9b4182 · 2022-01-16T10:55:22.000Z
connector health table
diff --git a/articles/sentinel/monitor-data-connector-health.md b/articles/sentinel/monitor-data-connector-health.md
@@ -1,18 +1,32 @@
 ---
-title: Monitor the health of your data connectors with this Microsoft Sentinel workbook | Microsoft Docs
-description: Use the Health Monitoring workbook to keep track of your data connectors' connectivity and performance.
-author: yelevin
+title: Monitor the health of your Microsoft Sentinel data connectors | Microsoft Docs
+description: Use the SentinelHealth data table and the Health Monitoring workbook to keep track of your data connectors' connectivity and performance.
+author: bagol
 ms.topic: how-to
 ms.custom: mvc, ignite-fall-2021
-ms.date: 11/09/2021
+ms.date: 12/30/2021
 ms.author: yelevin
 ---
 
-# Monitor the health of your data connectors with this Microsoft Sentinel workbook
+---
+# Monitor the health of your data connectors
 
 [!INCLUDE [Banner for top of topics](./includes/banner.md)]
 
-The **Data connectors health monitoring workbook** allows you to keep track of your data connectors' health, connectivity, and performance, from within Microsoft Sentinel. The workbook provides additional monitors, detects anomalies, and gives insight regarding the workspace’s data ingestion status. You can use the workbook’s logic to monitor the general health of the ingested data, and to build custom views and rule-based alerts.
+After you've configured and connected your Microsoft Sentinel workspace to your data connectors, you'll want to monitor your connector health, viewing any service or data source issues, such as authentication, throttling, and more.
+
+You also might like to configure notifications for health drifts for relevant stakeholders who can take action. For example, configure email messages, Microsoft Teams messages, new tickets in your ticketing system, and so on.
+
+This article describes how to use the following features, which allow you to keep track of your data connectors' health, connectivity, and performance from within Microsoft Sentinel:
+
+- **Data connectors health monitoring workbook**. This workbook provides additional monitors, detects anomalies, and gives insight regarding the workspace’s data ingestion status. You can use the workbook’s logic to monitor the general health of the ingested data, and to build custom views and rule-based alerts.
+
+- ***SentinelHealth* data table**. (Public preview) Provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions.
+
+    > [!NOTE]
+    > The *SentinelHealth* data table is currently supported only for [selected data connectors](#supported-data-connectors).
+    >
+
 
 ## Use the health monitoring workbook
 
@@ -28,9 +42,9 @@ The **Data connectors health monitoring workbook** allows you to keep track of y
 
 There are three tabbed sections in this workbook:
 
-1. The **Overview** tab shows the general status of data ingestion in the selected workspace: volume measures, EPS rates, and time last log received.
+- The **Overview** tab shows the general status of data ingestion in the selected workspace: volume measures, EPS rates, and time last log received.
 
-1. The **Data collection anomalies** tab will help you to detect anomalies in the data collection process, by table and data source. Each tab presents anomalies for a particular table (the **General** tab includes a collection of tables). The anomalies are calculated using the **series_decompose_anomalies()** function that returns an **anomaly score**. [Learn more about this function](/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction?WT.mc_id=Portal-fx). Set the following parameters for the function to evaluate:
+- The **Data collection anomalies** tab will help you to detect anomalies in the data collection process, by table and data source. Each tab presents anomalies for a particular table (the **General** tab includes a collection of tables). The anomalies are calculated using the **series_decompose_anomalies()** function that returns an **anomaly score**. [Learn more about this function](/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction?WT.mc_id=Portal-fx). Set the following parameters for the function to evaluate:
 
     - **AnomaliesTimeRange**: This time picker applies only to the data collection anomalies view.
     - **SampleInterval**: The time interval in which data is sampled in the given time range. The anomaly score is calculated only on the last interval's data.
@@ -39,7 +53,7 @@ There are three tabbed sections in this workbook:
 
         :::image type="content" source="media/monitor-data-connector-health/data-health-workbook-2.png" alt-text="data connector health monitoring workbook anomalies page" lightbox="media/monitor-data-connector-health/data-health-workbook-2.png":::
 
-1. The **Agent info** tab shows you information about the health of the Log Analytics agents installed on your various machines, whether Azure VM, other cloud VM, on-premises VM, or physical. You can monitor the following:
+- The **Agent info** tab shows you information about the health of the Log Analytics agents installed on your various machines, whether Azure VM, other cloud VM, on-premises VM, or physical. You can monitor the following:
 
    - System location
 
@@ -53,5 +67,164 @@ There are three tabbed sections in this workbook:
 
     :::image type="content" source="media/monitor-data-connector-health/data-health-workbook-3.png" alt-text="data connector health monitoring workbook agent info page" lightbox="media/monitor-data-connector-health/data-health-workbook-3.png":::
 
+## Use the SentinelHealth data table (Public preview)
+
+To get data connector health data from the *SentinelHealth* data table, you must first [turn on the Microsoft Sentinel health feature](#turn-on-microsoft-sentinel-health-for-your-workspace) for your workspace.
+
+Once the health feature is turned on, the *SentinelHealth* data table is created at the first success or failure event generated for your data connectors.
+
+> [!TIP]
+> To configure the retention time for your health events, see the [Log Analytics retention configuration documentation](/azure/azure-monitor/logs/manage-cost-storage).
+>
+
+> [!IMPORTANT]
+>
+> The SentinelHealth data table is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+>
+
+### Supported data connectors
+
+The *SentinelHealth* data table is currently supported only for the following data connectors:
+
+- [Amazon Web Services (CloudTrail)](connect-aws.md)
+- [Dynamics 365](connect-dynamics-365.md)
+- [Office 365](connect-office-365.md)
+- [Office ATP](connect-microsoft-defender-advanced-threat-protection.md)
+- [Threat Intelligence - TAXII](connect-threat-intelligence-taxii.md)
+- [Threat Intelligence Platforms](connect-threat-intelligence-tip.md)
+
+### Turn on Microsoft Sentinel health for your workspace
+
+1. In Microsoft Sentinel, under the **Configuration** menu on the left, select **Settings** and expand the **Health** section.
+
+1. Select **Configure Diagnostic Settings** and create a new diagnostic setting.
+
+    - In the **Diagnostic setting name** field, enter a meaningful name for your setting.
+
+    - In the **Category details** column, select **DataConnectors**.
+
+    - Under **Destination details**, select **Send to Log Analytics workspace**, and select your subscription and workspace from the dropdown menus.
+
+1. Select **Save** to save your new setting.
+
+The *SentinelHealth* data table is created at the first success or failure event generated for your data connectors.
+
+
+### Access the *SentinelHealth* table
+
+In the Microsoft Sentinel **Logs** page, run a query on the  *SentinelHealth* table. For example:
+
+```kusto
+SentinelHealth
+ | take 20
+```
+
+### Understanding SentinelHealth table events
+
+The following types of health events are logged in the *SentinelHealth* table:
+
+- **Data fetch status change**. Logged once an hour as long as a data connector status remains stable, with either continuous success or failure events. For as long as a data connector's status does not change, monitoring only hourly works to prevent redundant auditing and reduce table size. If the data connector's status has continuous failures, additional details about the failures are included in the *ExtendedProperties* column.
+
+    If the data connector's status changes, either from a success to failure, from failure to success, or has changes in failure reasons, the event is logged immediately to allow your team to take proactive and immediate action.
+
+    Potentially transient errors, such as source service throttling, are logged only after they've continued for more than 60 minutes. These 60 minutes allow Microsoft Sentinel to overcome a transient issue in the backend and catch up with the data, without requiring any user action. Errors that are definitely not transient are logged immediately.
+
+- **Failure summary**. Logged once an hour, per connector, per workspace, with an aggregated failure summary. Failure summary events are created only when the connector has experienced polling errors during the given hour. They contain any extra details provided in the *ExtendedProperties* column, such as the time period for which the connector's source platform was queried, and a distinct list of failures encountered during the time period.
+
+For more information, see [SentinelHealth table columns schema](#sentinelhealth-table-columns-schema).
+
+### Run queries to detect health drifts
+
+Create queries on the *SentinelHealth* table to help you detect health drifts in your data connectors. For example:
+
+**Detect latest failure events per connector**:
+
+```kusto
+SentinelHealth
+| where TimeGenerated > ago(3d)
+| where OperationName == 'Data fetch status change'
+| where Status in ('Success', 'Failure')
+| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId
+| where Status == 'Failure'
+```
+
+**Detect connectors with changes from fail to success state**:
+
+```kusto
+let lastestStatus = SentinelHealth
+| where TimeGenerated > ago(12h)
+| where OperationName == 'Data fetch status change'
+| where Status in ('Success', 'Failure')
+| project TimeGenerated, SentinelResourceName, SentinelResourceId, LastStatus = Status
+| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
+let nextToLastestStatus = SentinelHealth
+| where TimeGenerated > ago(12h)
+| where OperationName == 'Data fetch status change'
+| where Status in ('Success', 'Failure')
+| join kind = leftanti (lastestStatus) on SentinelResourceName, SentinelResourceId, TimeGenerated
+| project TimeGenerated, SentinelResourceName, SentinelResourceId, NextToLastStatus = Status
+| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
+lastestStatus
+| join kind=inner (nextToLastestStatus) on SentinelResourceName, SentinelResourceId
+| where NextToLastStatus == 'Failure' and LastStatus == 'Success'
+```
+
+**Detect connectors with changes from success to fail state**:
+
+```kusto
+let lastestStatus = SentinelHealth
+| where TimeGenerated > ago(12h)
+| where OperationName == 'Data fetch status change'
+| where Status in ('Success', 'Failure')
+| project TimeGenerated, SentinelResourceName, SentinelResourceId, LastStatus = Status
+| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
+let nextToLastestStatus = SentinelHealth
+| where TimeGenerated > ago(12h)
+| where OperationName == 'Data fetch status change'
+| where Status in ('Success', 'Failure')
+| join kind = leftanti (lastestStatus) on SentinelResourceName, SentinelResourceId, TimeGenerated
+| project TimeGenerated, SentinelResourceName, SentinelResourceId, NextToLastStatus = Status
+| summarize TimeGenerated = arg_max(TimeGenerated,*) by SentinelResourceName, SentinelResourceId;
+lastestStatus
+| join kind=inner (nextToLastestStatus) on SentinelResourceName, SentinelResourceId
+| where NextToLastStatus == 'Success' and LastStatus == 'Failure'
+```
+
+### Configure alerts and automated actions for health issues
+
+While you can use the Microsoft Sentinel [analytics rules](automate-incident-handling-with-automation-rules.md) to configure automation in Microsoft Sentinel logs, if you want to be notified and take immediate action for health drifts in your data connectors, we recommend that you use [Azure Monitor alert rules](/azure/azure-monitor/alerts/alerts-overview).
+
+For example:
+
+1. In an Azure Monitor alert rule, select your Microsoft Sentinel workspace as the rule scope, and **Custom log search** as the first condition.
+
+1. Customize the alert logic as needed, such as frequency or lookback duration, and then use [queries](#run-queries-to-detect-health-drifts) to search for health drifts.
+
+1. For the rule actions, select an existing action group or create a new one as needed to configure push notifications or other automated actions such as triggering a Logic App, Webhook, or Azure Function in your system.
+
+For more information, see [Azure Monitor alerts overview](/azure/azure-monitor/alerts/alerts-overview) and [Azure Monitor alerts log](/azure/azure-monitor/alerts/alerts-log).
+
+### SentinelHealth table columns schema
+
+The following table describes the columns and data generated in the *SentinelHealth* data table:
+
+| ColumnName    | ColumnType     | Description|
+| ----------------------------------------------- | -------------- | --------------------------------------------------------------------------- |
+| **TenantId**      | String         | The tenant ID for your Microsoft Sentinel workspace.                    |
+| **TimeGenerated** | Datetime       | The time at which the health event occurred.         |
+| <a name="operationname"></a>**OperationName** | String         | The health operation. One of the following values: <br><br>-`Data fetch status change` for health or success indications <br>- `Failure summary` for aggregated health summaries. <br><br>For more information, see [Understanding SentinelHealth table events](#understanding-sentinelhealth-table-events). |
+| <a name="sentinelresourceid"></a>**SentinelResourceId**        | String         | The unique identifier of the Microsoft Sentinel workspace and the associated connector on which the health event occurred. |
+| **SentinelResourceName**      | String         | The data connector name.                           |
+| <a name="status"></a>**Status**        | String         | Indicates `Success` or `Failure` for the `Data fetch status change` [OperationName](#operationname), and `Informational` for the `Failure summary` [OperationName](#operationname).         |
+| **Description**   | String         | Describes the operation, including extended data as needed. For example, for failures, this column might indicate the failure reason. |
+| **WorkspaceId**   | String         | The workspace GUID on which the health issue occurred. The full Azure Resource Identifier is available in the [SentinelResourceID](#sentinelresourceid) column. |
+| **SentinelResourceType**      | String         |The Microsoft Sentinel resource type being monitored: `Data connector`|
+| **SentinelResourceKind**      | String         | The type of data connector being monitored, such as `Office365`.               |
+| **RecordId**      | String         | A unique identifier for the record that can be shared with the support team for better correlation as needed.                |
+| **ExtendedProperties**        | Dynamic (json) | A JSON bag that varies by the [OperationName](#operationname) value and the [Status](#status) of the event: <br><br>- For `Data fetch status change` events with a success indicator, the bag contains a ‘DestinationTable’ property to indicate where data from this connector is expected to land. For failures, the contents vary depending on the failure type.    |
+| **Type**          | String         | `SentinelHealth`                         |
+| | | |
+
 ## Next steps
+
 Learn how to [onboard your data to Microsoft Sentinel](quickstart-onboard.md), [connect data sources](connect-data-sources.md), and [get visibility into your data, and potential threats](get-visibility.md).
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -4,7 +4,7 @@ description: This article describes new features in Microsoft Sentinel from the
 author: batamig
 ms.author: bagol
 ms.topic: conceptual
-ms.date: 12/01/2021
+ms.date: 01/13/2022
 ms.custom: ignite-fall-2021
 ---
 
@@ -29,8 +29,18 @@ If you're looking for items older than six months, you'll find them in the [Arch
 
 ## January 2021
 
+- [SentinelHealth data table (Public preview)](#sentinelhealth-data-table-public-preview)
 - [More workspaces supported for Multiple Workspace View](#more-workspaces-supported-for-multiple-workspace-view)
 - [Kusto Query Language workbook and tutorial](#kusto-query-language-workbook-and-tutorial)
+
+### SentinelHealth data table (Public preview)
+
+Microsoft Sentinel now provides the **SentinelHealth** data table to help you monitor your connector health, providing insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states. Use this data to create alerts and other automated actions, such as Microsoft Teams messages, new tickets in a ticketing system, and so on.
+
+Turn on the Microsoft Sentinel health feature for your workspace in order to have the **SentinelHealth** data table created at the next success or failure event generated for supported data connectors.
+
+For more information, see [Use the SentinelHealth data table (Public preview)](monitor-data-connector-health.md#use-the-sentinelhealth-data-table-public-preview).
+
 ### More workspaces supported for Multiple Workspace View
 
 Now, instead of being limited to 10 workspaces in Microsoft Sentinel's [Multiple Workspace View](multiple-workspace-view.md), you can view data from up to 30 workspaces simultaneously.
@@ -42,6 +52,7 @@ For more information, see:
 - [The need to use multiple Microsoft Sentinel workspaces](extend-sentinel-across-workspaces-tenants.md#the-need-to-use-multiple-microsoft-sentinel-workspaces)
 - [Work with incidents in many workspaces at once](multiple-workspace-view.md)
 - [Manage multiple tenants in Microsoft Sentinel as an MSSP](multiple-tenants-service-providers.md)
+
 ### Kusto Query Language workbook and tutorial
 
 Kusto Query Language is used in Microsoft Sentinel to search, analyze, and visualize data, as the basis for detection rules, workbooks, hunting, and more.
@@ -372,9 +383,22 @@ For more information, see:
 
 ## September 2021
 
+- [Data connector health enhancements (Public preview)](#data-connector-health-enhancements-public-preview)
+
 - [New in docs: scaling data connector documentation](#new-in-docs-scaling-data-connector-documentation)
 - [Azure Storage account connector changes](#azure-storage-account-connector-changes)
 
+### Data connector health enhancements (Public preview)
+
+Azure Sentinel now provides the ability to enhance your data connector health monitoring with a new *SentinelHealth* table. The *SentinelHealth* table is created after you've [turned on the Azure Sentinel health feature](monitor-data-connector-health.md#turn-on-microsoft-sentinel-health-for-your-workspace) in your Azure Sentinel workspace, at the first success or failure health event that's generated.
+
+For more information, see [Monitor the health of your data connectors with this Azure Sentinel workbook](monitor-data-connector-health.md).
+
+> [!NOTE]
+> The *SentinelHealth* data table is currently supported only for selected data connectors. For more information, see [Supported data connectors](monitor-data-connector-health.md#supported-data-connectors).
+>
+
+
 ### New in docs: scaling data connector documentation
 
 As we continue to add more and more built-in data connectors for Azure Sentinel, we've reorganized our data connector documentation to reflect this scaling.
