API - KQL - cross workspace query

Occasional Contributor



i am looking for a way to run KQL queries over the sentinel API to query data for different Azure tenants at once across workspaces 


any tips on how that can be achieved would be great!

2 Replies

@erlendoyen There is not a way to do this.  The Sentinel API does provide filtering features but not the ability to query across workspaces.   There is a the KQL command called "workspace" to perform this.  Take a look at this blog post to get started: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-cross-workspace-hunting-is-now-avai...

Hi, yes I have managed to make that work cross tennants, but I am looking for a way to retrieve the incidents from sentinel across many tennants (workspaces) from another monitoring system.

Any other suggestions on how to do this?