Forum Discussion

smhasn's avatar
smhasn
Copper Contributor
Nov 08, 2019
Solved

Logs Size and Total Data Received in Azure Sentinel

Hello,   I need to find a way how to check for the logs size in total that is been received from data connectors and the total number of data that is been received?   Regards, Mazhar
  • Eli Shlomo's avatar
    Eli Shlomo
    Nov 08, 2019

    There are few ways to collect data from Azure Sentinel:

    • Visualize data using the Azure Data Explorer (including excel report)
    • Using Workbook inside Azure Sentinel to gain extensive insight 
    • Create a PowerBI report (need to create connector and few customizations)
    • With KQL you can pull out any data, example general command:

    // Billable performance data over the last 30 days

    Usage
    | where TimeGenerated > ago(30d)
    | where IsBillable == true
    | summarize TotalVolumeGB = sum(Quantity) / 1024
     
Eli Shlomo's avatar
Eli Shlomo
MVP
Nov 08, 2019

There are few ways to collect data from Azure Sentinel:

  • Visualize data using the Azure Data Explorer (including excel report)
  • Using Workbook inside Azure Sentinel to gain extensive insight 
  • Create a PowerBI report (need to create connector and few customizations)
  • With KQL you can pull out any data, example general command:

// Billable performance data over the last 30 days

Usage
| where TimeGenerated > ago(30d)
| where IsBillable == true
| summarize TotalVolumeGB = sum(Quantity) / 1024
 
  • User9864's avatar
    User9864
    Copper Contributor
    Feb 24, 2025

    Hello,
    By the documentation isn't TotalVolumeGB = sum(Quantity )/ 1000
     ?https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/usage
    https://learn.microsoft.com/en-us/azure/azure-monitor/logs/analyze-usage#querying-data-volumes-from-the-usage-table

  • smhasn's avatar
    smhasn
    Copper Contributor
    Sep 21, 2023
    Is there a KQL query or another way to check on the Data Retention set on the tables or the whole workspace, I am trying to create an alert if there is any change in the Data Retention period.
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Sep 21, 2023

      smhasn 

      I think the settings are only available by api or ARG (which also uses KQL).  


      ARG example for whole workspace


      resources
      | where type == "microsoft.operationalinsights/workspaces"
      | project name, workspaceRetention=properties.retentionInDays
      | order by toint(workspaceRetention) desc

      you can also load the "Sentinel Central" workbook, its shows the Workspace and Table retention details - you can look at the api's used by the Workbook.



      To see the changes, you can look at this, however it will tell you who, what table and IP etc...but not what the setting was changed from/to 

      AzureActivity
      | where OperationNameValue =~'MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE'
      | extend resource_ = tostring(parse_json(Properties).resource)



      • smhasn's avatar
        smhasn
        Copper Contributor
        Sep 21, 2023
        Hello Clive - I don't observe the "resources" table in Log Section of Sentinel, and also I am unable to find the workbook in the content or not in available workbook list as "Sentinel Central"
  • smhasn's avatar
    smhasn
    Copper Contributor
    Nov 08, 2019

    Eli Shlomo - Thanks for the detail response. Appreciated. 

Resources