Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

list all log sources

Copper Contributor

So I'm just getting started with Microsoft Sentinel, and am looking for a way to produce a single report "listing all log sources".

 

I'm looking for something like:

TableName, SourceType, ComputerName

 

I have tried

CommonSecurityLog
| summarize by DeviceVendor, Computer

From Link, but Only get the first  DeviceVendor (Fortinet in my case) but I don't get all other types.

 

 

3 Replies
If you don't have the other types in the CommonSecurityLog, they won't show up.

Try something like the following...
https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt

This will show the workspace, tablename, and the solution that generated the table.

While https://github.com/rod-trent/SentinelKQL/blob/master/WorkspacesAndTables.txt does a great job of listing active tables and workspaces, I'm looking for more of a report of what devices are currently sending logs.

 

We have several Data Connectors and we are looking for a way to list what is reporting in  for each connector.

 

Example:

We have "Fortinet", "Security Events via Legacy Agent", "Syslog", and "Windows Security Events via AMA"

We would like a report with:

  • Device Reporting(hostname)
  • Platform(OS)
  • DeviceType (OPTIONAL)
    • Virtual
    • Desktop
    • Laptop
  • Type of events
    • Windows System
    • Windows Application
    • Linux Audit
    • etc

 

We are implementing ASIM (https://docs.microsoft.com/en-us/azure/sentinel/normalization-about-parsers), to help with the different parsers, but so far have not found an ASIM function that can output such a list.

@ScottJensen_KS Have you looked at the Workspace Usage Report workbook? 

 

Down at the bottom of the Workspace Info tab, it shows the tables, the resource supplying the data, and the volume per resource...

 

resources.png