Last active
February 12, 2025 04:44
-
-
Save dstreefkerk/22ebe7993c8116d5b09b71f4f27d32ec to your computer and use it in GitHub Desktop.
Azure Resource Graph Query - Retrieve details of all accessible Sentinel-enabled Operational Insights Workspaces
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This query retrieves all Microsoft Sentinel-enabled Log Analytics workspaces the user has access to. | |
| // It checks for Sentinel by looking for the 'SecurityInsights' solution in 'Microsoft.OperationsManagement/solutions'. | |
| // The join is done using the full resource ID of the workspace. | |
| resources | |
| | where type == "microsoft.operationalinsights/workspaces" | |
| | extend workspaceId = tostring(properties.customerId), workspaceName = name, workspaceResourceId = tolower(id) | |
| | join kind=leftouter ( | |
| resources | |
| | where type == "microsoft.operationsmanagement/solutions" | |
| | where name startswith "SecurityInsights" | |
| | extend linkedWorkspaceId = tolower(tostring(properties.workspaceResourceId)) | |
| | project linkedWorkspaceId, sentinelStatus = "Enabled" | |
| ) on $left.workspaceResourceId == $right.linkedWorkspaceId | |
| | extend sentinelEnabled = iff(isnull(sentinelStatus), "Disabled", sentinelStatus) | |
| | project workspaceId, workspaceName, subscriptionId, resourceGroup, location, tenantId, sentinelStatus |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment