BadTables.yaml

Descriptor:
  Name: BadTable
  DisplayName: Sentinel Tables Not Ingesting Data
  Description: Check all Tables to see which ones have not ingested data in 3 days or more

SkillGroups:
  - Format: KQL
    Skills:
      - Name: BadTable
        DisplayName: Sentinel Tables Not Ingesting Data
        Description: Check all Tables to see which ones have not ingested data in 3 days or more
        Settings:
          Target: Sentinel
          TenantId: <your_tenant_ID>
          SubscriptionId: <your_subscription_ID>
          ResourceGroupName: <your_RG_name>
          WorkspaceName: <your_WS_name>
          Template: |-
           union withsource=BadTable * | where TimeGenerated > ago(3d) | summarize Entries = count(), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by BadTable | where last_log >= 259200 | project BadTable