Now in preview, you can use Azure Data Explorer (ADX) cross-resource queries from with-in the hunting query page, the livestream page, and the logs (Log Analytics) page. Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors.
To query data stored in ADX clusters, simply use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table. If you have access to an ADX cluster with active data, it is super easy to try.
Here is a brief summary of the adx() function syntax to help get you started:
adx(“<Cluster URI>/<Database Name>).<Table Name>
Here is an example query that accesses public data:
adx("https://help.kusto.windows.net/Samples").StormEvents | take 5
Using cross-resource queries on the hunting queries, livestream, and logs pages
Once you know how to construct cross-reference queries, using them in the hunting experience is easy. Go to the hunting queries page and click "+ New query" to create a new custom query. Add your cross-resource query to the "Custom Query" field as you would for any other hunting query.
The process is similar for the livestream experience. On the hunting page livestream tab, click "+ New Livestream" to open the livestream query authoring experience:
You can also create cross-resource queries directly in the Azure Sentinel Logs (Log Analytics) experience. This is very convenient when iterating on and refining your queries during the hunting process, as well as diagnosing and resolving query errors.
There are no performance guarantees for querying over ADX data from Azure Sentinel. Additionally, this preview only supports cross-resource queries for the previously mentioned features. Features such as Analytics do not support cross-resource queries.