Forum Discussion
cyberHardik
May 31, 2021Copper Contributor
Sentinel data Connector Health Status -email notification
Hey guys, I have created a playbook for monitoring sentinel data connectors health and an email notification is setup if there is no logs received for any connector in last 48 hrs . It is fully ...
CliveWatson
Microsoft
Not currently but this is being looked at. For now you have the Solution name.
cyberHardik
Jun 11, 2021Copper Contributor
Thankx alot for such a swift reply, I did tried to fetch 2 days logs and added solution name column but It is not getting populated against all data types. below is the sniff for better understanding :
is Solution name currently available for some data types only as I am inhabiting all data types ?
Moreover , extending new status column suffice my requirement.
- CliveWatsonJun 11, 2021MicrosoftThe Usage Table is designed for questions like this, I suspect you are using "union *" and it wont guarantee in the query that each type/row maps to a solution, hence the missing solution field.
Usage
| summarize make_set(DataType), dcount(DataType) by Solution- cyberHardikJun 11, 2021Copper ContributorYou got me@Clive Watson
Absolutely bang on Genius!
Yups, I am using Union *. Thanx alot for your help , All sorted now except one thing as logs are pulled over a given time frame so if there is no logs in that time frame then Data Type will be not present in the projected table and all the hardwork will go in vain. what do you suggest in that case ? - cyberHardikJun 14, 2021Copper ContributorCliveWatson
I am still waiting for your response- CliveWatsonJun 15, 2021MicrosoftYou can Join the returned result with the Usage Table, the new last line would be something like. It would be helpful to share your query (DM me if necessary).
| join (Usage | distinct Solution, DataType) on $left.Type == $right.DataType