need to create monitoring queries to track the health status of data connectors
I'm working with Microsoft Sentinel and need to create monitoring queries to track the health status of data connectors. Specifically, I want to: Identify unhealthy or disconnected data connectors, Determine when a data connector last lost connection Get historical connection status information What I'm looking for: A KQL query that can be run in the Sentinel workspace to check connector status OR a PowerShell script/command that can retrieve this information Ideally, something that can be automated for regular monitoring Looking at the SentinelHealth table, but unsure about the exact schema,connector, etc Checking if there are specific tables that track connector status changes Using Azure Resource Graph or management APIs Ive Tried multiple approaches (KQL, PowerShell, Resource Graph) however I somehow cannot get the information I'm looking to obtain. Please assist with this, for example i see this microsoft docs page, https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health#supported-data-connectors however I would like my query to state data such as - Last ingestion of tables? How much data has been ingested by specific tables and connectors? What connectors are currently connected? The health of my connectors? Please helpSentinel Log Volume vs Defender Log Volume
Dear community, we're currently building up our first SOC service and wondering about the costs (not realy, we know that SIEM is expencive, but we don't understand the log volumes). We started with sentinel and enabled the XDR connector with all log sources (Device information, Defender for Identity etc). If we take a look into the LAW and log volumes for those tables, we've an ingest as shown in the following exibit: BUT, in comparison, we did a cost analysis with the real defender information (from Defender portal). We come to an estimated log volume from approx. 45GB (and usually billable around 25GB, because the customer has E5 licenses, which should include the AADNonInteractiveUserSignInLogs table (5MB/user/day for free) We're asking ourself why we got this differences in comparison to the last few days, shown in the exibit (attention: we started with a daily ingest cap, so the daily ingest would be around 90 - 100GB/day). Where is our mistake/lag of knowledge? Here are the KQL, sent wihtin the Defender portal to get the volumes from there AlertInfo | union AlertEvidence | summarize RecordCount = count(), AlertTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) EmailEvents | union EmailUrlInfo | union EmailAttachmentInfo | union EmailPostDeliveryEvents | union UrlClickEvents | summarize RecordCount = count(), MDOTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) IdentityLogonEvents | union IdentityQueryEvents | union IdentityDirectoryEvents | summarize RecordCount = count(), IDTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) DeviceInfo | union DeviceNetworkInfo | union DeviceProcessEvents | union DeviceNetworkEvents | union DeviceFileEvents | union DeviceRegistryEvents | union DeviceLogonEvents | union DeviceImageLoadEvents | union DeviceEvents | union DeviceFileCertificateInfo | summarize RecordCount = count(), MDETotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) CloudAppEvents | summarize RecordCount = count(), CAppsTotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) Thanks a lot! Best & have nice a nice easter :-)Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
Hi everyone, what are the advantages of using Cribl or Logstash over a CEF log collector via AMA for ingesting firewall logs such as Palo Alto for example into Microsoft Sentinel? In a typical scenario, how would you configure the ingestion to optimize performance, scalability, and cost? What do you think? Let’s discuss and share experiences!
Feed data location to run against Sentinel's KQL function
Hi, We have a feed consisting of around 250,000-300,000 entries and will be imported daily. We do not intend to store this data in Sentinel as a table and would like to store it somewhere else (Cosmos, storage, etc.) from where we can grab this data and run it against one of our Sentinel's KQL functions to generate Alerts. Planning to use Logic Apps/Functions to do the above actions. But would like to know what would be the right solution here so that comparing the feed data against KQL function results would be fast and not of high cost Thank you !!
Defender advanced hunting, data-grant from Defender for Servers licensing.
Hi, when configuring Defender for Servers P2 in Defender for Cloud it states that you would be granted a 500 MB per day free ingestion to a log analytics workspace, such as in Sentinel. However, when looking into the supported data sources I do not find the advanced hunting data that would be my first go-to data source when setting up Sentinel, how come? Here is a screenshot of how data-ingestion changed once i turned on the XDR connector, am I to understand that the 500MB ingestion per device we're paying for will do nothing to cover this cost? The E5 grant of 5MB/user/day is nowhere near this amount of data. Is there a way to utilize the 500MB ingestion per device grant for the advanced hunting data?
Linux AMA log ingestion filtering specific logs
I had previously applied ingestion time data transformation for few incoming logs in syslog table when I was using MMA agent for linux. Now I am moving to AMA for Linux servers. How do I apply specific log filtering on AMA for linux logsources? such as if ip is 1.1.1.1 and it contains err logs, drop them. I know it is possible in windows DCR but how can I built same DCR for linux in AMA to filter out them.AMA agent DCR log filtering
Hi, I have previously created KQL queries for ingestion time transformation and was filtering out certain event ids and few other logs (e.g. | where not(EventID == 4799 and CallerProcessName contains "C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe") ) . Now I have almost 80+ filtering KQL queries which I have applied on securityEvent table to filter out specific logs. I have shifted my servers from MMA agent to AMA agent and AMA agent has its down DCR and my existing ingestion time transformation won't work now. I need to create xpath queries in new DCR. Is there anyway I can convert all of the existing ingestion time transformation applied KQLs (example already mentioned above)? OR Do I need to create separate DCRs for AMA to filterout specific events which are 80+?SAP Data Connector - Sentinel
Hi Community, we are using SAP Data connector for Sentinel for one Month. According to Microsoft the connector charges for production environments 2 $ per hour after 1. May. Our SAP Environment is a Demo and it can be also viewed at the T000 Table. We have seen that the connector has started to charge us for three days (it is also not understandable because it is supposed to charge us from the beginning of the month, if the environment type has been read as Production and we have not changed anything in the infrastructure). It is also displayed in the Connector page as Demo. As a result i had to stop Agent and it stopped to charge. I couldnot find the reason, is there anybody who uses the this connector with demo SAP env. I appreciate your answers. Thank you in advance.How to use Defender for Cloud App with cost optimization for both environment ( Dev and Prod )
Hi All, I have two subscriptions 1. Development and 2. Production. In the Dev subscription, I have a lot of resources like about 20 storage accounts and 12 app service plans and 4 Azure SQL and etc. As you know, Defender for Cloud is subscription level, therefor If I enable it on a Dev subscription the cost should be more expensive. But in the Prod environment, I will enable Defender for Prod's resources. Now, I want to know how can I use Defender for Dev's resources with minimum cost or what's the best solution or best practice for this issue. My idea is to use Prod security recommendations for the same resources in the Dev environment. Is there another idea?
