Forum Discussion
Logs Size and Total Data Received in Azure Sentinel
Hello,
I need to find a way how to check for the logs size in total that is been received from data connectors and the total number of data that is been received?
Regards,
Mazhar
There are few ways to collect data from Azure Sentinel:
- Visualize data using the Azure Data Explorer (including excel report)
- Using Workbook inside Azure Sentinel to gain extensive insight
- Create a PowerBI report (need to create connector and few customizations)
- With KQL you can pull out any data, example general command:
// Billable performance data over the last 30 days
Usage| where TimeGenerated > ago(30d)| where IsBillable == true| summarize TotalVolumeGB = sum(Quantity) / 1024
There are few ways to collect data from Azure Sentinel:
- Visualize data using the Azure Data Explorer (including excel report)
- Using Workbook inside Azure Sentinel to gain extensive insight
- Create a PowerBI report (need to create connector and few customizations)
- With KQL you can pull out any data, example general command:
// Billable performance data over the last 30 days
Usage| where TimeGenerated > ago(30d)| where IsBillable == true| summarize TotalVolumeGB = sum(Quantity) / 1024- smhasnCopper ContributorIs there a KQL query or another way to check on the Data Retention set on the tables or the whole workspace, I am trying to create an alert if there is any change in the Data Retention period.
- Clive_WatsonBronze Contributor
I think the settings are only available by api or ARG (which also uses KQL).
ARG example for whole workspace
resources
| where type == "microsoft.operationalinsights/workspaces"
| project name, workspaceRetention=properties.retentionInDays
| order by toint(workspaceRetention) desc
you can also load the "Sentinel Central" workbook, its shows the Workspace and Table retention details - you can look at the api's used by the Workbook.
To see the changes, you can look at this, however it will tell you who, what table and IP etc...but not what the setting was changed from/to
AzureActivity
| where OperationNameValue =~'MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE'
| extend resource_ = tostring(parse_json(Properties).resource)
- smhasnCopper Contributor
Eli Shlomo - Thanks for the detail response. Appreciated.