Aug 15 2022 02:27 PM
So I'm just getting started with Microsoft Sentinel, and am looking for a way to produce a single report "listing all log sources".
I'm looking for something like:
TableName, SourceType, ComputerName
I have tried
CommonSecurityLog
| summarize by DeviceVendor, Computer
From Link, but Only get the first DeviceVendor (Fortinet in my case) but I don't get all other types.
Aug 15 2022 03:02 PM
Aug 18 2022 02:10 PM
While https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt does a great job of listing active tables and workspaces, I'm looking for more of a report of what devices are currently sending logs.
We have several Data Connectors and we are looking for a way to list what is reporting in for each connector.
Example:
We have "Fortinet", "Security Events via Legacy Agent", "Syslog", and "Windows Security Events via AMA"
We would like a report with:
We are implementing ASIM (https://docs.microsoft.com/en-us/azure/sentinel/normalization-about-parsers), to help with the different parsers, but so far have not found an ASIM function that can output such a list.
Aug 18 2022 02:21 PM
@ScottJensen_KS Have you looked at the Workspace Usage Report workbook?
Down at the bottom of the Workspace Info tab, it shows the tables, the resource supplying the data, and the volume per resource...