The Basic Logs for Microsoft Sentinel KQL Limitations – Azure Cloud & AI Domain Blog (azurecloudai.b...
In a recent post that caught a lot of attention, I outlined the do’s and don’ts for using the Basic Logs feature with Microsoft Sentinel.
See: When to Use and When NOT to Use Basic Logs with Microsoft Sentinel
One the limitations of Basic Logs is that it only supports a subset of the KQL operators, which means you won’t be able to utilize Basic Logs data for Analytics Rules and other necessary Microsoft Sentinel functions.
But some have asked, what exactly are the KQL limitations. Because the list of what’s NOT supported is pretty huge, it’s easier to show what is supported.