Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

API - KQL - cross workspace query

Copper Contributor

Hi

 

i am looking for a way to run KQL queries over the sentinel API to query data for different Azure tenants at once across workspaces 

 

any tips on how that can be achieved would be great!

2 Replies

@erlendoyen There is not a way to do this.  The Sentinel API does provide filtering features but not the ability to query across workspaces.   There is a the KQL command called "workspace" to perform this.  Take a look at this blog post to get started: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-cross-workspace-hunting-is-now-avai...

Hi, yes I have managed to make that work cross tennants, but I am looking for a way to retrieve the incidents from sentinel across many tennants (workspaces) from another monitoring system.

Any other suggestions on how to do this?