Query Details
Trial Expiration
Query
//This query reports on the end date and how many days left for the Sentinel 31-day trail. Modify "TrialTest" with your Log Analytics Workspace name. //One use case: You can use this in a Playbook to receive an email reminder every day of how many trial days are left. let workspace = "TrialTest"; let Trial = 31d; AzureActivity | where TimeGenerated >= ago(90d) | where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" | where ActivitySubstatusValue == "Created" | where Authorization contains workspace | extend End_Date = TimeGenerated + Trial | extend Date_Created = TimeGenerated | extend Created_By = Caller | project workspace, Date_Created, End_Date, Days_Left = End_Date - Date_Created, Created_By
Explanation
This query retrieves the end date and the number of days left for the Sentinel 31-day trial. It can be used in a Playbook to send a daily email reminder of how many trial days are remaining. The query filters AzureActivity logs for deployments created within the last 90 days and matches the specified operation and activity substatus. It also filters for logs that contain the specified Log Analytics Workspace name. The query then calculates the end date by adding the trial duration to the time the log was generated. It also includes the date the log was created, the user who created the deployment, and the number of days left in the trial.
Details
Rod Trent
Released: February 3, 2022
Tables
AzureActivity
Keywords
Devices,Intune,User
Operators
whereletAzureActivityagowherewherewherewhereextendextendextendproject