Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

KQL Queries in Sentinel & Defender? Different UI's...?

Iron Contributor

From what I was reading it *appeared* that both the Sentinel and Defender ATP instances were using the same KQL Queries for advanced hunting queries? And to a certain extent that does appear to be the case.

 

So then why are they both using different UI's?

They both look kind of the same in the intial query - but when you start to look at opening your results looking for additional "identifiers" to narrow the results the two systems use quite a different approach - to the point that it's really jarring - how did this happen?

 

Sentinel has some hidden + & - buttons so that it can easily be added

Sentinel_Add_Field.JPG

 

And then in Defender ATP it uses a technique that requires a "right click" on the line to bring up this prompt below - what gives with this...?

 

Defender_ATP.JPG

2 Replies

@David Caddick 

 

I am not sure I can bridge the gap between the two, and I understand that more conformity would make it easier to use. I can explain why the difference is there: 

 

Kusto (the K in KQL) is a a Microsoft developed database technology targeted at big data analytics. It is widely used by Microsoft products and is also available to you directly as Azure Data Explorer. Each system using Kusto can expose it to a different level and add additional functionality. Both MDATP and Sentinel (in practice, Log Analytics) expose a lot, making it look similar, but there are differences, and not just in the UI. Some Kusto capabilities might be available in one and not the other, or in neither. 

 

On the practical side, we would love to hear about those discrepancies, as well as your preferred solution and add to the relevant roadmap the features you liked better. 

 

~ Ofer

Hi @Ofer_Shezaf 

 

For my 2 cents - and keeping in mind I haven't investigated Playbooks or Notebooks yet...?

It's very handy having the search to the schema right there + the Tabs feature is very simple to use and intuitive:

Sentinel_UI_1Sentinel_UI_1

Having the tabs work like a browser is very simple. The History section is a little hard to read...?

 

Instead of History being laid out like it is today - can you simply "extract" the first two lines of "comments" ( // ) and then display that in the same sized tiles (as below) - this will be easier to read + it will help encourage folks to write/add comments correctly in their queries…?

 

Can we also have "extensibility" to drop the samples we don't need/use - or at least put them further back - then we can have our saved examples/hunting queries can be brought in here?

 

Sentinel_UI_2Sentinel_UI_2

Not sure if Tabs works here? and it sort of looks like there is a lack of search in the Schema on the left, but possibly this is because we can seach other elements from the search areas on the right...?

The list of "suggested" queries is good and appears to be contextual?  

 

Defender_UI_1Defender_UI_1

 

I hope this helps?