Forum Discussion
smhasn
Nov 08, 2019Copper Contributor
Logs Size and Total Data Received in Azure Sentinel
Hello, I need to find a way how to check for the logs size in total that is been received from data connectors and the total number of data that is been received? Regards, Mazhar
- Nov 08, 2019
There are few ways to collect data from Azure Sentinel:
- Visualize data using the Azure Data Explorer (including excel report)
- Using Workbook inside Azure Sentinel to gain extensive insight
- Create a PowerBI report (need to create connector and few customizations)
- With KQL you can pull out any data, example general command:
// Billable performance data over the last 30 days
Usage| where TimeGenerated > ago(30d)| where IsBillable == true| summarize TotalVolumeGB = sum(Quantity) / 1024
Eli Shlomo
Nov 08, 2019MVP
There are few ways to collect data from Azure Sentinel:
- Visualize data using the Azure Data Explorer (including excel report)
- Using Workbook inside Azure Sentinel to gain extensive insight
- Create a PowerBI report (need to create connector and few customizations)
- With KQL you can pull out any data, example general command:
// Billable performance data over the last 30 days
Usage
| where TimeGenerated > ago(30d)
| where IsBillable == true
| summarize TotalVolumeGB = sum(Quantity) / 1024
smhasn
Sep 21, 2023Copper Contributor
Is there a KQL query or another way to check on the Data Retention set on the tables or the whole workspace, I am trying to create an alert if there is any change in the Data Retention period.
- Clive_WatsonSep 21, 2023Bronze Contributor
I think the settings are only available by api or ARG (which also uses KQL).
ARG example for whole workspace
resources
| where type == "microsoft.operationalinsights/workspaces"
| project name, workspaceRetention=properties.retentionInDays
| order by toint(workspaceRetention) desc
you can also load the "Sentinel Central" workbook, its shows the Workspace and Table retention details - you can look at the api's used by the Workbook.
To see the changes, you can look at this, however it will tell you who, what table and IP etc...but not what the setting was changed from/to
AzureActivity
| where OperationNameValue =~'MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE'
| extend resource_ = tostring(parse_json(Properties).resource)- smhasnSep 21, 2023Copper ContributorHello Clive - I don't observe the "resources" table in Log Section of Sentinel, and also I am unable to find the workbook in the content or not in available workbook list as "Sentinel Central"
- Clive_WatsonSep 21, 2023Bronze Contributor
resources is a table in in "Azure Resource Graph" (ARG) type: "resource graph" into the search in the Azure Portal. As of last week you can access ARG from the logs blade as well: Query Azure Resource Graph from Azure Monitor - Microsoft Community Hub
You are right its not showing in the Content Hub, its still in Github, so you can get it here: raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/SentinelCentral.json
[Ctrl-C] the workbook file content (these are JSON files),
To install into Sentinel, create a New Workbook: Add-Workbook --> Edit --> then use Advanced Edit (press the </> icon) then [paste] over any json that exists.
Press Apply
Then Save it