SOLVED

Logs Size and Total Data Received in Azure Sentinel

Copper Contributor

Hello,

 

I need to find a way how to check for the logs size in total that is been received from data connectors and the total number of data that is been received?

 

Regards,

Mazhar

7 Replies
best response confirmed by smhasn (Copper Contributor)
Solution

There are few ways to collect data from Azure Sentinel:

  • Visualize data using the Azure Data Explorer (including excel report)
  • Using Workbook inside Azure Sentinel to gain extensive insight 
  • Create a PowerBI report (need to create connector and few customizations)
  • With KQL you can pull out any data, example general command:

// Billable performance data over the last 30 days

Usage
| where TimeGenerated > ago(30d)
| where IsBillable == true
| summarize TotalVolumeGB = sum(Quantity) / 1024
 

@Eli Shlomo - Thanks for the detail response. Appreciated. 

Is there a KQL query or another way to check on the Data Retention set on the tables or the whole workspace, I am trying to create an alert if there is any change in the Data Retention period.

@smhasn 

I think the settings are only available by api or ARG (which also uses KQL).  


ARG example for whole workspace


resources
| where type == "microsoft.operationalinsights/workspaces"
| project name, workspaceRetention=properties.retentionInDays
| order by toint(workspaceRetention) desc

you can also load the "Sentinel Central" workbook, its shows the Workspace and Table retention details - you can look at the api's used by the Workbook.

Clive_Watson_0-1695302156864.png



To see the changes, you can look at this, however it will tell you who, what table and IP etc...but not what the setting was changed from/to 

AzureActivity
| where OperationNameValue =~'MICROSOFT.OPERATIONALINSIGHTS/WORKSPACES/TABLES/WRITE'
| extend resource_ = tostring(parse_json(Properties).resource)



Hello Clive - I don't observe the "resources" table in Log Section of Sentinel, and also I am unable to find the workbook in the content or not in available workbook list as "Sentinel Central"

@smhasn 

 

resources is a table in in  "Azure Resource Graph" (ARG) type: "resource graph" into the search in the Azure Portal.  As of last week you can access ARG from the logs blade as well: Query Azure Resource Graph from Azure Monitor - Microsoft Community Hub 

Clive_Watson_0-1695308616843.png



You are right its not showing in the Content Hub, its still in Github, so you can get it here: raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/SentinelCentral.json

[Ctrl-C] the workbook file content (these are JSON files),

To install into Sentinel, create a New Workbook: Add-Workbook --> Edit --> then use Advanced Edit (press the </> icon) then [paste] over any json that exists.
Press Apply
Then Save it 




Thanks for the detailed help. Appreciated.

I was able to reproduce these using ARG and Sentinel Workbook. Thanks
1 best response

Accepted Solutions
best response confirmed by smhasn (Copper Contributor)
Solution

There are few ways to collect data from Azure Sentinel:

  • Visualize data using the Azure Data Explorer (including excel report)
  • Using Workbook inside Azure Sentinel to gain extensive insight 
  • Create a PowerBI report (need to create connector and few customizations)
  • With KQL you can pull out any data, example general command:

// Billable performance data over the last 30 days

Usage
| where TimeGenerated > ago(30d)
| where IsBillable == true
| summarize TotalVolumeGB = sum(Quantity) / 1024
 

View solution in original post