KQL Query to verify diagnostic logs

Question

Hello Folks

If i set a diagnostic setting for example of a storage account , how can i verify the log is coming to sentinel in last few min or hrs .
Usually we use Azure diagnostic and Azure activity then pipe to build a single query but i need a multipurpose one.

I need to verify all type of resources log are coming to Sentinel , without changing much in query . Like altering the name of resource before running query.
Need a query in way that i can edit the name of resource and can able to verify another type of resources as well.

Answer 1

Hello @Mohammed Altamash Khan
Here are some Kusto Queries to help you analyzing Azure Diagnostic logs:

1. Find what type of resources (and how many) are sending Diagnostic Logs to your Log Analytics Workspace: AzureDiagnostics
   | summarize Resources = dcount(ResourceId) by ResourceType
   | order by Resources desc
2. Find the ResourceID of all Resources sending Azure Diagnostics for a specified Resource Type: AzureDiagnostics
   | where ResourceType == "a type resulted from the previous query"
   | distinct ResourceId
3. Return all Azure Diagnostics records sent by a specified Resource (using a Resource Id from the previous query): AzureDiagnostics
   | where ResourceId == "a resource id returned from the previous query"

Note: I recommend you use the ResourceId property to filter for a specific resource (rather than the Resource (Name), as you might have multiple resources with the same name, but the ResourceId is unique)

I hope that the above helps and that this is what you were looking for.

BR,
George

Answer 2

Hi again,
You can add the following to your query:

| summarize max(TimeGenerated) by Resource

or by ResourceId or ResourceType to see the timestamp of the newest ingested record for your grouping category.

BR,
George