KQL to count current enabled, disabled analytic rules



Would like some help in an KQL query to count the number of enabled and disabled analytic rules for entry into a workbook.

Plus a simple count of connected data connectors so the number reflects the overview number and not all the enabled data types.

Many thanks,


1 Reply



1. Take a look in "Workspace Usage" - you need to call the api to list the rules. There are many examples in the "Regular Checks --> Weekly reports" section.


2.  This isn't so easy, the SentinelHealth table only lists a few Connectors (8 I think) - you really have to look at the Tables.  You can see the connectors supported here: Data Connectors - List - REST API (Azure Sentinel) | Microsoft Learn