cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL to count current enabled, disabled analytic rules

tipper1510
Brass Contributor

‎Mar 13 2023 09:55 AM

‎Mar 13 2023 09:55 AM

KQL to count current enabled, disabled analytic rules

Hi,

Would like some help in an KQL query to count the number of enabled and disabled analytic rules for entry into a workbook.

Plus a simple count of connected data connectors so the number reflects the overview number and not all the enabled data types.

Many thanks,

Tim

Labels:
2,014 Views
0 Likes
1 Reply
Reply
1 Reply
Clive_Watson

‎Mar 13 2023 03:54 PM

‎Mar 13 2023 03:54 PM

Re: KQL to count current enabled, disabled analytic rules

@tipper1510 

 

1. Take a look in "Workspace Usage" - you need to call the api to list the rules. There are many examples in the "Regular Checks --> Weekly reports" section.

Clive_Watson_0-1678747694211.png

2.  This isn't so easy, the SentinelHealth table only lists a few Connectors (8 I think) - you really have to look at the Tables.  You can see the connectors supported here: Data Connectors - List - REST API (Azure Sentinel) | Microsoft Learn

0 Likes
Reply