Log Source Audit help

magosta91 · ‎Feb 22 2024

Hi all,

I am looking for a way to get an audit of all log sources coming into Microsoft Sentinel. I suspect that I will need to write a KQL query to do this, but I was wondering if there was an easier or simpler way of doing it. I know that data comes into Sentinel via Data Connectors, but the Data Connectors make it confusing to get a list of all log sources from that one Connector. If anyone had any tips or advice I would appreciate it.

Thanks!

Gregory_Wilson3468 · ‎Feb 23 2024

If you go to Content Hub and install the Workspace Audit and Workspace Usage Report workbooks it should get you close to what you need.

If this isn't what you need I would start with this KQL and then filter to what you need.

AzureActivity
| where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"

Hope this helps.

G.

@magosta91

Clive_Watson · ‎Feb 23 2024

If you just want the Tables the Workbooks referenced above use this query or a variation:

Usage
| where TimeGenerated > ago(30d)
| summarize count(), GBytes=round(sum(Quantity)/1000,2) by DataType, IsBillable

Log Source Audit help

Log Source Audit help

Re: Log Source Audit help

Re: Log Source Audit help

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Log Source Audit help