Forum Discussion

smhasn's avatar
smhasn
Copper Contributor
Nov 08, 2019

Logs Size and Total Data Received in Azure Sentinel

Hello,

 

I need to find a way how to check for the logs size in total that is been received from data connectors and the total number of data that is been received?

 

Regards,

Mazhar

  • There are few ways to collect data from Azure Sentinel:

    • Visualize data using the Azure Data Explorer (including excel report)
    • Using Workbook inside Azure Sentinel to gain extensive insight 
    • Create a PowerBI report (need to create connector and few customizations)
    • With KQL you can pull out any data, example general command:

    // Billable performance data over the last 30 days

    Usage
    | where TimeGenerated > ago(30d)
    | where IsBillable == true
    | summarize TotalVolumeGB = sum(Quantity) / 1024
     
  • There are few ways to collect data from Azure Sentinel:

    • Visualize data using the Azure Data Explorer (including excel report)
    • Using Workbook inside Azure Sentinel to gain extensive insight 
    • Create a PowerBI report (need to create connector and few customizations)
    • With KQL you can pull out any data, example general command:

    // Billable performance data over the last 30 days

    Usage
    | where TimeGenerated > ago(30d)
    | where IsBillable == true
    | summarize TotalVolumeGB = sum(Quantity) / 1024
     
    • smhasn's avatar
      smhasn
      Copper Contributor
      Is there a KQL query or another way to check on the Data Retention set on the tables or the whole workspace, I am trying to create an alert if there is any change in the Data Retention period.
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor

        smhasn 

        I think the settings are only available by api or ARG (which also uses KQL).  


        ARG example for whole workspace


        resources
        | where type == "microsoft.operationalinsights/workspaces"
        | project name, workspaceRetention=properties.retentionInDays
        | order by toint(workspaceRetention) desc

        you can also load the "Sentinel Central" workbook, its shows the Workspace and Table retention details - you can look at the api's used by the Workbook.



        To see the changes, you can look at this, however it will tell you who, what table and IP etc...but not what the setting was changed from/to 

        AzureActivity
        | where OperationNameValue =~'MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE'
        | extend resource_ = tostring(parse_json(Properties).resource)



Resources