list all log sources

So I'm just getting started with Microsoft Sentinel, and am looking for a way to produce a single report "listing all log sources". I'm looking for something like: TableName, SourceType, Compute...

kusto

Rod_Trent

Microsoft

Aug 15, 2022

If you don't have the other types in the CommonSecurityLog, they won't show up.

Try something like the following...
https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt

This will show the workspace, tablename, and the solution that generated the table.

ScottJensen_KS

Copper Contributor

Aug 18, 2022

While https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt does a great job of listing active tables and workspaces, I'm looking for more of a report of what devices are currently sending logs.

We have several Data Connectors and we are looking for a way to list what is reporting in for each connector.

Example:

We have "Fortinet", "Security Events via Legacy Agent", "Syslog", and "Windows Security Events via AMA"

We would like a report with:

Device Reporting(hostname)
Platform(OS)
DeviceType (OPTIONAL)
- Virtual
- Desktop
- Laptop
Type of events
- Windows System
- Windows Application
- Linux Audit
- etc

We are implementing ASIM (https://docs.microsoft.com/en-us/azure/sentinel/normalization-about-parsers), to help with the different parsers, but so far have not found an ASIM function that can output such a list.

Rod_Trent
Microsoft
Aug 18, 2022
ScottJensen_KS Have you looked at the Workspace Usage Report workbook?

Down at the bottom of the Workspace Info tab, it shows the tables, the resource supplying the data, and the volume per resource...

Forum Discussion

list all log sources

Resources