What’s New: Query line numbering, Azure Sentinel in the schema pane

Published Aug 19 2020 06:00 AM 4,950 Views

 

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

Every second counts. Some security incidents are unstoppable, but when prevention isn’t possible, the right investigation and response is everything. To help SOC analysts’ quickly reason over copious amount of security volume, we are delighted to introduce a set of enhancements that enrich and improve the investigation experience in Azure Sentinel.

 

Enable Line Numbers to Aid Quicker Debugging of Your Azure Sentinel KQL Queries

 

The Azure Monitor team released a new capability that enhances that way your SOC analyst reason and monitor the critical security data ingested into Azure Sentinel. To help enable quicker debugging for KQL queries in the Log Analytics workspace, analysts have the ability to enable line numbers to their KQL queries to quickly identify the line in which an error exist.

 

With this enhancement, when creating a Log Analytics query, each row in the query editor is indicated by a number:

 

rownumbers2.jpg

 

 

 

This makes it easier to find the part of the query you need, when composing a new query.. The new line numbers work in tandem with our new error messages. 


If there's an error in the query the analysts composed, our newly designed error messages will indicate the row where an issue was found. Row numbers in query editor makes it faster and easier to find the issue and provides guidance to get rectify the error. 

 

errorquery.jpg

 

How to enable:

 

Open the Settings panel by clicking on the Settings cog icon and select the switch to turn row numbers off and on.

 

rownumberenable.gif

 

 

Azure Sentinel in the logs screen schema

 

Small, but never the less important, finally it is “Azure Sentinel”, rather than “SecurityInsights” on the schema pane of the log screen in Sentinel and in Log Analytics. This will help your SOC analysts easily identify all the data tables under the Azure Sentinel solution.

 

 

azuresentinelschema.png

 

 

Get started today!

 

We encourage you to leverage the new enhancements aid in debugging and improving the investigation experience in Azure Sentinel.

 

Try it out, and let us know what you think!

1 Comment
Senior Member

@Cristhofer Munoz Good to see this, definitely helpful.

Just one thing though, I had to manually refresh the browser page to see the changes take effect.

Auto-refresh on save would be nice.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-1596990%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20New%3A%20Query%20line%20numbering%2C%20Azure%20Sentinel%20in%20the%20schema%20pane%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1596990%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EThis%20installment%20is%20part%20of%20a%20broader%20series%20to%20keep%20you%20up%20to%20date%20with%20the%20latest%20features%20in%20Azure%20Sentinel.%20The%20installments%20will%20be%20bite-sized%20to%20enable%20you%20to%20easily%20digest%20the%20new%20content.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEvery%20second%20counts.%20Some%20security%20incidents%20are%20unstoppable%2C%20but%20when%20prevention%20isn%E2%80%99t%20possible%2C%20the%20right%20investigation%20and%20response%20is%20everything.%20To%20help%20SOC%20analysts%E2%80%99%20quickly%20reason%20over%20copious%20amount%20of%20security%20volume%2C%20we%20are%20delighted%20to%20introduce%20a%20set%20of%20enhancements%20that%20enrich%20and%20improve%20the%20investigation%20experience%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1204588314%22%20id%3D%22toc-hId-1204588314%22%20id%3D%22toc-hId-1204588314%22%3EEnable%20Line%20Numbers%20to%20Aid%20Quicker%20Debugging%20of%20Your%20Azure%20Sentinel%20KQL%20Queries%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20Monitor%20team%20released%20a%20new%20capability%20that%20enhances%20that%20way%20your%20SOC%20analyst%20reason%20and%20monitor%20the%20critical%20security%20data%20ingested%20into%20Azure%20Sentinel.%20To%20help%20enable%20quicker%20debugging%20for%20KQL%20queries%20in%20the%20Log%20Analytics%20workspace%2C%20analysts%20have%20the%20ability%20to%20enable%20line%20numbers%20to%20their%20KQL%20queries%20to%20quickly%20identify%20the%20line%20in%20which%20an%20error%20exist.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWith%20this%20enhancement%2C%20when%20creating%20a%20Log%20Analytics%20query%2C%20each%20row%20in%20the%20query%20editor%20is%20indicated%20by%20a%20number%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22rownumbers2.jpg%22%20style%3D%22width%3A%20966px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213145iFBDFA7521230A92C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22rownumbers2.jpg%22%20alt%3D%22rownumbers2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20makes%20it%20easier%20to%20find%20the%20part%20of%20the%20query%20you%20need%2C%20when%20composing%20a%20new%20query..%20The%20new%20line%20numbers%20work%20in%20tandem%20with%20our%20new%20error%20messages.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20there's%20an%20error%20in%20the%20query%20the%20analysts%20composed%2C%20our%20newly%20designed%20error%20messages%20will%20indicate%20the%20row%20where%20an%20issue%20was%20found.%20Row%20numbers%20in%20query%20editor%20makes%20it%20faster%20and%20easier%20to%20find%20the%20issue%20and%20provides%20guidance%20to%20get%20rectify%20the%20error.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22errorquery.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213149i311C5C56FB517E90%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22errorquery.jpg%22%20alt%3D%22errorquery.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--602866149%22%20id%3D%22toc-hId--602866149%22%20id%3D%22toc-hId--602866149%22%3EHow%20to%20enable%3A%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOpen%20the%3CSTRONG%3E%20Settings%3C%2FSTRONG%3E%20panel%20by%20clicking%20on%20the%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%20cog%20icon%20and%20select%20the%20switch%20to%20turn%20row%20numbers%20off%20and%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22rownumberenable.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213154i7149A1A29B3B8806%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22rownumberenable.gif%22%20alt%3D%22rownumberenable.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1884646684%22%20id%3D%22toc-hId-1884646684%22%20id%3D%22toc-hId-1884646684%22%3EAzure%20Sentinel%20in%20the%20logs%20screen%20schema%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3ESmall%2C%20but%20never%20the%20less%20important%2C%20finally%20it%20is%20%E2%80%9CAzure%20Sentinel%E2%80%9D%2C%20rather%20than%20%E2%80%9CSecurityInsights%E2%80%9D%20on%20the%20schema%20pane%20of%20the%20log%20screen%20in%20Sentinel%20and%20in%20Log%20Analytics.%20This%20will%20help%20your%20SOC%20analysts%20easily%20identify%20all%20the%20data%20tables%20under%20the%20Azure%20Sentinel%20solution.%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22azuresentinelschema.png%22%20style%3D%22width%3A%20433px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213164i72BD42F3A8D9264F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22azuresentinelschema.png%22%20alt%3D%22azuresentinelschema.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1874143580%22%20id%3D%22toc-hId-1874143580%22%20id%3D%22toc-hId-1874143580%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-66689117%22%20id%3D%22toc-hId-66689117%22%20id%3D%22toc-hId-66689117%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1758710297%22%20id%3D%22toc-hId--1740765346%22%20id%3D%22toc-hId--1740765346%22%20id%3D%22toc-hId--1740765346%22%3EGet%20started%20today!%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20encourage%20you%20to%20leverage%20the%20new%20enhancements%20aid%20in%20debugging%20and%20improving%20the%20investigation%20experience%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETry%20it%20out%2C%20and-ERR%3AREF-NOT-FOUND-%26nbsp%3Blet%20us%20know%26nbsp%3Bwhat%20you%20think!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1596990%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20delighted%20to%20introduce%20query%20line%20numbering%20and%20Azure%20Sentinel%20in%20the%20schema%20pane%2C%20designed%20to%20enrich%20and%20expedite%20the%20investigation%20experience%20in%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1599680%22%20slang%3D%22en-US%22%3ERe%3A%20What%E2%80%99s%20New%3A%20Query%20line%20numbering%2C%20Azure%20Sentinel%20in%20the%20schema%20pane%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1599680%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87823%22%20target%3D%22_blank%22%3E%40Cristhofer%20Munoz%3C%2FA%3E%26nbsp%3BGood%20to%20see%20this%2C%20definitely%20helpful.%3C%2FP%3E%3CP%3EJust%20one%20thing%20though%2C%20I%20had%20to%20manually%20refresh%20the%20browser%20page%20to%20see%20the%20changes%20take%20effect.%3C%2FP%3E%3CP%3EAuto-refresh%20on%20save%20would%20be%20nice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 18 2020 01:37 PM
Updated by: