New Blog Post | The Basic Logs for Microsoft Sentinel KQL Limitations

%3CLINGO-SUB%20id%3D%22lingo-sub-3259001%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20The%20Basic%20Logs%20for%20Microsoft%20Sentinel%20KQL%20Limitations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3259001%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221647445279550.jfif%22%20style%3D%22width%3A%20800px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F356246i4D228B7B7D80840D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221647445279550.jfif%22%20alt%3D%221647445279550.jfif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3E%3CA%20href%3D%22https%3A%2F%2Fazurecloudai.blog%2F2022%2F03%2F16%2Fthe-basic-logs-for-microsoft-sentinel-kql-limitations%2F%3FWT.mc_id%3Dmodinfra-0000-rotrent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EThe%20Basic%20Logs%20for%20Microsoft%20Sentinel%20KQL%20Limitations%20%E2%80%93%20Azure%20Cloud%20%26amp%3B%20AI%20Domain%20Blog%20(azurecloudai.blog)%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3EIn%20a%20recent%20post%20that%20caught%20a%20lot%20of%20attention%2C%20I%20outlined%20the%20do%E2%80%99s%20and%20don%E2%80%99ts%20for%20using%20the%20Basic%20Logs%20feature%20with%20Microsoft%20Sentinel.%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3ESee%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcda.ms%2F41b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%22%3EWhen%20to%20Use%20and%20When%20NOT%20to%20Use%20Basic%20Logs%20with%20Microsoft%20Sentinel%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3EOne%20the%20limitations%20of%20Basic%20Logs%20is%20that%20it%20only%20supports%20a%20subset%20of%20the%20KQL%20operators%2C%20which%20means%20you%20won%E2%80%99t%20be%20able%20to%20utilize%20Basic%20Logs%20data%20for%20Analytics%20Rules%20and%20other%20necessary%20Microsoft%20Sentinel%20functions.%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3EBut%20some%20have%20asked%2C%20what%20exactly%20are%20the%20KQL%20limitations.%20Because%20the%20list%20of%20what%E2%80%99s%20NOT%20supported%20is%20pretty%20huge%2C%20it%E2%80%99s%20easier%20to%20show%20what%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eis%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esupported.%3C%2FP%3E%0A%3CP%20class%3D%22has-medium-font-size%22%3EOriginal%20Post%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fnew-blog-post-the-basic-logs-for-microsoft-sentinel-kql%2Fm-p%2F3258994%23M7062%22%20target%3D%22_blank%22%3ENew%20Blog%20Post%20%7C%20The%20Basic%20Logs%20for%20Microsoft%20Sentinel%20KQL%20Limitations%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3259001%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKQL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKusto%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Data%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

1647445279550.jfif

The Basic Logs for Microsoft Sentinel KQL Limitations – Azure Cloud & AI Domain Blog (azurecloudai.b...

In a recent post that caught a lot of attention, I outlined the do’s and don’ts for using the Basic Logs feature with Microsoft Sentinel.

 

See: When to Use and When NOT to Use Basic Logs with Microsoft Sentinel

One the limitations of Basic Logs is that it only supports a subset of the KQL operators, which means you won’t be able to utilize Basic Logs data for Analytics Rules and other necessary Microsoft Sentinel functions.

 

But some have asked, what exactly are the KQL limitations. Because the list of what’s NOT supported is pretty huge, it’s easier to show what is supported.

Original Post: New Blog Post | The Basic Logs for Microsoft Sentinel KQL Limitations - Microsoft Tech Community

0 Replies