Feb 22 2024 06:55 AM
Hi all,
I am looking for a way to get an audit of all log sources coming into Microsoft Sentinel. I suspect that I will need to write a KQL query to do this, but I was wondering if there was an easier or simpler way of doing it. I know that data comes into Sentinel via Data Connectors, but the Data Connectors make it confusing to get a list of all log sources from that one Connector. If anyone had any tips or advice I would appreciate it.
Thanks!
Feb 23 2024 05:46 AM
If you go to Content Hub and install the Workspace Audit and Workspace Usage Report workbooks it should get you close to what you need.
If this isn't what you need I would start with this KQL and then filter to what you need.
AzureActivity
| where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"
Hope this helps.
G.
Feb 23 2024 08:03 AM