Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,154 questions
Incorrect data in the Usage table
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési
181
Reputation points
Hi folks
A few days ago I noticed an odd behavior in multiple environments. In these Sentinel instances we don't have any logs in the AzureDiagnotics table. But when I query the Usage table it shows some data for the AzureDiagnostics DataType. So, while the table itself is empty, the Usage table indicates some data is stored in it.
We are talking about a really low amount of data, sub-megabyte.
I've seen this behavior started to appear a week ago (around 6th of Aug) in most of the environments, but in some other ones I can see the same thing even on 2nd of Aug (that was the earliest I found).
No changes were made in these environments recently.
Is this a bug somewhere in Sentinel, or were some changes made by Microsoft in the background that creates un-queryable data in the AzureDiagnotics table? This behavior messes with some of my queries and rules, so I would like to understand why it started to happen recently?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 33,081 Reputation points Microsoft Employee2024-08-16T06:41:08.8766667+00:00 @Sándor Tőkési Thank you for reaching out to us, let me check with my team on the above mentioned ask and revert back.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment
1 answer
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more