Data Connector Health - Push Notification Alerts

pemontto 
You shouldn't be creating analytic rule, but only Logic App so that you can use above solution. 
You can also use Deploy to Azure template from Azure-Sentinel/Playbooks/Send-ConnectorHealthStatus at master · Azure/Azure-Sentinel (github.com)

I just done it again via template and it works with no issues on my Sentinel environment.

Is there a reason for not using Azure monitor alert rules for this?

This is not currently working in any of our Sentinel instances. Scheduled searches with union * fail to save with the error message:

Failed to save analytics rule 'Sentinel table missing logs'. Invalid data model. [Properties.Query: Scheduled alert rule query should not contain 'search' or 'union *']

Related Github issue: https://github.com/Azure/Azure-Sentinel/issues/1437

Thanks BenjiSec just to add the reason why pemontto  here's the explanation: Create custom analytics rules to detect threats with Azure Sentinel | Microsoft Docs

Can you expand a bit on the User Name variable used in the deployment? What kind of identity would be good practice here, and what roles or rights does the user require?

Mikko_Koivunen  thanks for your query, the username variable is the user ID with permissions to deploy the solution within your Azure environment. In this case it has to have a minimum of "Logic App Contributor" role in the resource group where you want to deploy this logic app.  To run the two queries you need a minimum of "Reader" role for the Workspace. To make the Office 365 and Teams connections you just need a mailbox in the tenant where this messages will be sent from.

Inwafula Would you be so kind to explain a part of kql query used for Tables with Data Ingestion Anomalies

Especially these below lines from the kql query,

Hi AlphaBetaGamma  thanks for raising this query. Please see below explanations. I will also make an update to the blog later on to include them in the main body for the benefit of others:

let UpperThreshold = 3 ; //+ or -3 is the suggested number and it indicates a strong anomaly though you can modify it : Outlier - Wikipedia

let LowerThreshold = -3 ; 

let TableIgnoreList = dynamic(['SecurityAlert', 'BehaviorAnalytics', 'SecurityBaseline', 'ProtectionStatus']); // select tables you want to EXCLUDE from the results

union withsource=TableName1 *

| make-series count() on TimeGenerated from ago(14d) to now() step 1d by TableName1 //create array based on ingested  data from all tables in the workspace across 14 days on a daily basis

| extend (anomalies, score, baseline) = series_decompose_anomalies(count_, 1.5, 7, 'linefit', 1, 'ctukey', 0.01) //take the array of ingested data across the 14 days and extract anomalous points with scores based on predicted values using the linear regression concept. See https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction for a detailed explanation of each argument. For an explanation of 'ctukey' read: Outlier - Wikipedia.

  in our case the seasonality argument (7) can be left at default i.e. -1 and the output would still be the same 

| where anomalies[-1] == 1 or anomalies[-1] == -1 //the output of series_decompose_anomalies function is three things: A ternary (as opposed to binary) series containing (+1, -1, 0) marking up/down/no anomaly respectively, the Anomaly score and the predicted value or baseline. 

| extend Score = score[-1] //this picks up the anomaly state from the most recent run. -1 indicates a position in the array. To see exactly how it works I suggest you run parts of the query and look at the output. i.e. up to line 9. In my case one of the runs produced the below output

Note: I filtered the columns above so as to be able to display the two score columns and anomalies in this limited space

the -1 is the position in the array counting from the extreme right. The result there will be either 1, 0 or -1

| where Score >= UpperThreshold or Score <= LowerThreshold | where TableName1 !in (TableIgnoreList) //compare with strong anomaly indicator values

| project TableName=TableName1, ExpectedCount=round(todouble(baseline[-1]),1), ActualCount=round(todouble(count_[-1]),1), AnomalyScore = round(todouble(score[-1]),1)

niklasvolcz1 you can use Azure Monitor alerts. The idea of the blog is to showcase the concept of push notifications for important alerts. However, with Azure Monitor alerts the cost is higher-even though both logic apps and azure monitor alerts are both quite low in cost. Also, when it comes to presenting the output in a HTML table-it takes more work and expertise to do so with Azure Monitor alerts