list all log sources

Question

So I'm just getting started with Microsoft Sentinel, and am looking for a way to produce a single report "listing all log sources".&nbsp;I'm looking for something like:TableName, SourceType, ComputerName&nbsp;I have triedCommonSecurityLog
| summarize by DeviceVendor, ComputerFrom&nbsp;Link, but Only get the first&nbsp; DeviceVendor (Fortinet in my case) but I don't get all other types.&nbsp;&nbsp;

rod_trent · Answer

If you don't have the other types in the CommonSecurityLog, they won't show up.

Try something like the following...
https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt

This will show the workspace, tablename, and the solution that generated the table.

scottjensen_ks · Answer

While https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt does a great job of listing active tables and workspaces, I'm looking for more of a report of what devices are currently sending logs.

We have several Data Connectors and we are looking for a way to list what is reporting in for each connector.

Example:

We have "Fortinet", "Security Events via Legacy Agent", "Syslog", and "Windows Security Events via AMA"

We would like a report with:

Device Reporting(hostname)
Platform(OS)
DeviceType (OPTIONAL)
- Virtual
- Desktop
- Laptop
Type of events
- Windows System
- Windows Application
- Linux Audit
- etc

We are implementing ASIM (https://docs.microsoft.com/en-us/azure/sentinel/normalization-about-parsers), to help with the different parsers, but so far have not found an ASIM function that can output such a list.

rod_trent · Answer

ScottJensen_KS&nbsp;Have you looked at the&nbsp;Workspace Usage Report workbook?&nbsp;
&nbsp;
Down at the bottom of the Workspace Info tab, it shows the tables, the resource supplying the data, and the volume per resource...
&nbsp;

Forum Discussion

list all log sources

3 Replies

Resources