Query Details
Sentinel Ingestion Quota
Query
# Sentinel Log Analytics Ingestion Quota Configuration
## Query Information
### Description
Use the below queries to retreive log analytics ingestion quota configuration information and changes
#### References
### Microsoft Sentinel
```kql
arg("").Resources
| where type == "microsoft.operationalinsights/workspaces"
| extend SKUName = tostring(parse_json(tostring(properties.sku)).name)
| extend dailyQuotaGb = tostring(parse_json(tostring(properties.workspaceCapping)).dailyQuotaGb)
| extend quotaNextResetTime = todatetime(tostring(parse_json(tostring(properties.workspaceCapping)).quotaNextResetTime))
| extend retentionInDays = tostring(properties.retentionInDays)
| project name, location, resourceGroup, retentionInDays,SKUName, dailyQuotaGb, quotaNextResetTime
```
Query Quota changes
```kql
let quotaPattern = @"Daily quota changed to (\d+)";
let previousQuotaPattern = @"Previous quota (\d+)";
let changedByPattern = @"Changed by (.+)";
Operation
| where Detail startswith "Daily quota"
| extend CurrentQuota = extract(quotaPattern,1,Detail)
| extend PreviousQuota = extract(previousQuotaPattern,1,Detail)
| extend ChangedBy = extract(changedByPattern,1,Detail)
```
Explanation
The first query retrieves information about the log analytics ingestion quota configuration, including the workspace name, location, resource group, retention in days, SKU name, daily quota in GB, and the next reset time for the quota.
The second query captures any changes made to the daily quota, including the new quota value, the previous quota value, and the user who made the change.
Details
Alex Verboon
Released: September 18, 2023
Tables
arg("").Resources
Keywords
Sentinel,LogAnalytics,Ingestion,Quota,Configuration,Microsoft,OperationalInsights,Workspaces,SKUName,DailyQuotaGb,QuotaNextResetTime,RetentionInDays,Name,Location,ResourceGroup,Operation,Detail,CurrentQuota,PreviousQuota,ChangedBy
Operators
argResourceswheretype==extendSKUNametostringparse_jsonnamedailyQuotaGbworkspaceCappingtodatetimeretentionInDayspropertiesprojectlocationresourceGroupquotaNextResetTimeletquotaPattern@"Daily quota changed to (\d+)"previousQuotaPattern@"Previous quota (\d+)"changedByPatternOperationstartswithCurrentQuotaextract1DetailPreviousQuotaChangedBy