Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Kusto Explorer - So Many Tables!

Iron Contributor

Hey there!

 

I was looking for a way to manage KQL queries and keep a running tally of the queries I've done so I can step back through the history and figure out how I got where I am. I was hoping for a way to connect my KQL efforts to my GitHub repo. I did some research and found Michel Kamp's article on using Kusto Explorer to do this (https://michelkamp.wordpress.com/2020/08/05/a-better-place-to-handle-your-kql-queries/). I've now set up Kusto Explorer and connected it to my Sentinel environment. However, when I look under the connections I see hundreds of tables with most of them not having any relevance to my Sentinel environment. Actually, most of them are empty. Any idea why I'm seeing all of these non-existent tables? And is there a way to only retrieve tables that actually exist?

 

TIA

~dgm~

6 Replies
Most likely there is something that is feeding your ADX environment or those are tables that ADX creates itself. You could look at the Sentinel Repository feature to store your queries (although it may take a little work as it doesn't with directly with log queries).
I actually don't have any ADX, just Sentinel. That's part of what has me confused.
There are some tables that are not exposed via the Sentinel UI since they have no useful information.

@GBusheyI never knew that these were all hiding back there - >450 tables, most of them empty. It's not a big deal as I know which tables I'm working with. I wish there were a way to eliminate the empty tables from the view.

 

Also, haven't found a way to attach the work I'm doing to Git which was my original reason for using Kusto Explorer.

best response confirmed by DGMalcolm (Iron Contributor)
Solution
There's no automated way to connect KQL or any kind of Sentinel content back to GitHub. The best practice would be to manually copy KQL and paste them using the GitHub desktop + Sublime text or vs code. Otherwise, all efforts will be lost.
That seems to answer the underlying question. Disappointing but it's what I neede to hear. Thank you.
1 best response

Accepted Solutions
best response confirmed by DGMalcolm (Iron Contributor)
Solution
There's no automated way to connect KQL or any kind of Sentinel content back to GitHub. The best practice would be to manually copy KQL and paste them using the GitHub desktop + Sublime text or vs code. Otherwise, all efforts will be lost.

View solution in original post