KQL query to see log usage

pvandenbossche · ‎Jun 21 2021

We have on boarded various logsources through logstash from on premise into sentinel.

However we are wondering if there is a possibility to get insights into which logs we are using, and which logs we aren't.

This could either be achieved if there was a field like "logs queried" or if you could automatically go through rule logic to map it to the existing tables and see if parts are not utilized in any query.

Thank you in advance!

m_zorich · ‎Jul 02 2021

You can export queries run against a log analytics workspace back into Sentinel (or a different workspace). On your Sentinel workspace If you go Diagnostic Settings -> Add a diagnostic setting -> Send to Log Analytics workspace. They then appear under the LAQuery table. The problem you have is the querytext field that returns is just a straight copy of the query that was run and your staff may construct their queries in a lot of different ways. If you extract everything before | from that querytext field to a new column it may give you some direction, but think that data will need a heap of sanitizing to make it valuable.

Edit - a quick way would be to query based on the table name, you will get additional results if a query uses multiple tables, also if you haven't yet turned on the diagnostic setting the data will only fill in once you do

LAQueryLogs
| project QueryText
| summarize SecurityAlerts = countif(QueryText contains "SecurityAlert"), SysLogs = countif(QueryText contains "SysLog_CL"), DuoLogs= countif(QueryText contains "DuoLogs_CL"), SigninLogs = countif(QueryText contains "SigninLogs")

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

KQL query to see log usage