In another of the “Watching the Watchers” series, customers ask periodically to be notified when – or at least to know when – the Log Analytics workspace data retention changes.
Here’s a quick KQL query to accomplish that.
union Operation
| where OperationStatus == "Succeeded"
| where OperationCategory == "Workspace Configuration"
| project TimeGenerated, DetailAn example of the results:
This query can be used in a Workbook, a Hunting query, or even as an Analytics Rule (to be notified when it happens).
The latest version of this query will always be located here: SentinelKQL/DataRetentionChanges.txt at master · rod-trent/SentinelKQL (github.com)
More Watching the Watchers:
- How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified – Azure Cloud & AI Domain Blog (azurecloudai.blog)
- How to Report When an Azure Sentinel Analytics Rule is Deleted – Azure Cloud & AI Domain Blog (azurecloudai.blog)
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.