KQL to count current enabled, disabled analytic rules

Brass Contributor


Would like some help in an KQL query to count the number of enabled and disabled analytic rules for entry into a workbook.

Plus a simple count of connected data connectors so the number reflects the overview number and not all the enabled data types.

Many thanks,


1 Reply



1. Take a look in "Workspace Usage" - you need to call the api to list the rules. There are many examples in the "Regular Checks --> Weekly reports" section.


2.  This isn't so easy, the SentinelHealth table only lists a few Connectors (8 I think) - you really have to look at the Tables.  You can see the connectors supported here: Data Connectors - List - REST API (Azure Sentinel) | Microsoft Learn