Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
Jun 13, 2019

KQL Queries in Sentinel & Defender? Different UI's...?

From what I was reading it *appeared* that both the Sentinel and Defender ATP instances were using the same KQL Queries for advanced hunting queries? And to a certain extent that does appear to be th...
Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Jun 16, 2019

David Caddick 

 

I am not sure I can bridge the gap between the two, and I understand that more conformity would make it easier to use. I can explain why the difference is there: 

 

Kusto (the K in KQL) is a a Microsoft developed database technology targeted at big data analytics. It is widely used by Microsoft products and is also available to you directly as Azure Data Explorer. Each system using Kusto can expose it to a different level and add additional functionality. Both MDATP and Sentinel (in practice, Log Analytics) expose a lot, making it look similar, but there are differences, and not just in the UI. Some Kusto capabilities might be available in one and not the other, or in neither. 

 

On the practical side, we would love to hear about those discrepancies, as well as your preferred solution and add to the relevant roadmap the features you liked better. 

 

~ Ofer

David Caddick's avatar
David Caddick
Iron Contributor
Jun 16, 2019

Hi Ofer_Shezaf 

 

For my 2 cents - and keeping in mind I haven't investigated Playbooks or Notebooks yet...?

It's very handy having the search to the schema right there + the Tabs feature is very simple to use and intuitive:

Sentinel_UI_1

Having the tabs work like a browser is very simple. The History section is a little hard to read...?

 

Instead of History being laid out like it is today - can you simply "extract" the first two lines of "comments" ( // ) and then display that in the same sized tiles (as below) - this will be easier to read + it will help encourage folks to write/add comments correctly in their queries…?

 

Can we also have "extensibility" to drop the samples we don't need/use - or at least put them further back - then we can have our saved examples/hunting queries can be brought in here?

 

Sentinel_UI_2

Not sure if Tabs works here? and it sort of looks like there is a lack of search in the Schema on the left, but possibly this is because we can seach other elements from the search areas on the right...?

The list of "suggested" queries is good and appears to be contextual?  

 

Defender_UI_1

 

I hope this helps?