Forum Discussion

Pranesh1060's avatar
Pranesh1060
Brass Contributor
Nov 05, 2019

Querying Azure Sentinel Logs Using KQL

Hello,   We have integrated MCAS with Azure Sentinel using the data connector available. All the logs are being sent to Sentinel and so far it is good. To dig deeper and understand the logs by usin...
Pranesh1060's avatar
Pranesh1060
Brass Contributor
Nov 07, 2019

CliveWatson 

 

Thanks Clive!! It helps!!

 

But this is not what exactly I am looking for. Let me give you an example for this

 

I want to be able to write queries to deep dive into the logs we get, parse the json parameters that we have and use the columns after parsing into an alert for Logic Apps. I was looking for documentations like the one I shared in the post to be able to make more sense out of the logs. Is it doable?

CliveWatson's avatar
CliveWatson
Former Employee
Nov 08, 2019

Pranesh1060 

 

Understood.  There are many many logs and many ways of looking at them.  There are quite a few examples but you do need experience with KQL, have you done the free course? https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch you can also view the course contents in the demo portal https://ms.portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade  (you can see the Pluralsight material form here as well); open the Query Explorer and look in the folder marked.

Resources