Now in preview, you can use Azure Data Explorer (ADX) cross-resource queries from with-in the hunting query page, the livestream page, and the logs (Log Analytics) page. Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors.
You can learn more about sending logs from Azure Sentinel to Azure Data Explorer for long-term retention here: Integrate Azure Data Explorer for long-term log retention
Creating cross-resource queries
To query data stored in ADX clusters, simply use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table. If you have access to an ADX cluster with active data, it is super easy to try.
Here is a brief summary of the adx() function syntax to help get you started:
adx(“<Cluster URI>/<Database Name>).<Table Name>
Here is an example query that accesses public data:
adx("https://help.kusto.windows.net/Samples").StormEvents | take 5
You can find the full details here: Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer
Using cross-resource queries on the hunting queries, livestream, and logs pages
Once you know how to construct cross-reference queries, using them in the hunting experience is easy. Go to the hunting queries page and click "+ New query" to create a new custom query. Add your cross-resource query to the "Custom Query" field as you would for any other hunting query.
The process is similar for the livestream experience. On the hunting page livestream tab, click "+ New Livestream" to open the livestream query authoring experience:
You can also create cross-resource queries directly in the Azure Sentinel Logs (Log Analytics) experience. This is very convenient when iterating on and refining your queries during the hunting process, as well as diagnosing and resolving query errors.
Additional Information
There are no performance guarantees for querying over ADX data from Azure Sentinel. Additionally, this preview only supports cross-resource queries for the previously mentioned features. Features such as Analytics do not support cross-resource queries.
Learn more:
Find out more about the following topics:
- Cross-resource queries: Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer
- Using hunting queries: Hunt for threats with Azure Sentinel
- Using livestream: Use hunting livestream in Azure Sentinel to detect threats
- Sending logs from Azure Sentinel to Azure Data Explorer: Integrate Azure Data Explorer for long-term log retention
Microsoft
