Forum Discussion

magosta91's avatar
magosta91
Copper Contributor
Feb 22, 2024

Log Source Audit help

Hi all,

 

I am looking for a way to get an audit of all log sources coming into Microsoft Sentinel. I suspect that I will need to write a KQL query to do this, but I was wondering if there was an easier or simpler way of doing it. I know that data comes into Sentinel via Data Connectors, but the Data Connectors make it confusing to get a list of all log sources from that one Connector. If anyone had any tips or advice I would appreciate it.

 

Thanks!

data collection
siem
  • G_Wilson3468's avatar
    G_Wilson3468
    Iron Contributor
    Feb 23, 2024

     If you go to Content Hub and install the Workspace Audit and Workspace Usage Report workbooks it should get you close to what you need.

     

    If this isn't what you need I would start with this KQL and then filter to what you need. 

     

    AzureActivity
    | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"

     

    Hope this helps.

     

    G.

    magosta91

    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Feb 23, 2024
      If you just want the Tables the Workbooks referenced above use this query or a variation:

      Usage
      | where TimeGenerated > ago(30d)
      | summarize count(), GBytes=round(sum(Quantity)/1000,2) by DataType, IsBillable

Resources