Forum Discussion
Querying Azure Sentinel Logs Using KQL
Hello,
We have integrated MCAS with Azure Sentinel using the data connector available. All the logs are being sent to Sentinel and so far it is good. To dig deeper and understand the logs by using KQL, I was looking for a few use case examples that would help us. Any documentation or links that you people can direct me to?
I came across this article and it is good!! Looking for a few more examples like this. Apart from this any other documentation that would help to help understand Sentinel better?
4 Replies
Thanks Clive!! It helps!!
But this is not what exactly I am looking for. Let me give you an example for this
I want to be able to write queries to deep dive into the logs we get, parse the json parameters that we have and use the columns after parsing into an alert for Logic Apps. I was looking for documentations like the one I shared in the post to be able to make more sense out of the logs. Is it doable?
Understood. There are many many logs and many ways of looking at them. There are quite a few examples but you do need experience with KQL, have you done the free course? https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch you can also view the course contents in the demo portal https://ms.portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade (you can see the Pluralsight material form here as well); open the Query Explorer and look in the folder marked.
