Microsoft Sentinel Logs & Writing Queries (part 1 of 3)

 


To read part 2, please click here




An Introduction to the Microsoft Sentinel Logs Page

The Log Analytics workspace is at the top of the hierarchical pattern it follows and it can be considered as a container for all the individual logs for your instance of Microsoft Sentinel almost equivalent to a database in SQL.

Individual logs called tables are present within each workspace that are equivalent to a table in SQL. These have a set of columns, and zero or more rows of data. There are also columns that can hold different types of data like text, date/time, integers, and others. 

Navigating through the Logs page

It's the page which shows you the list of all the logs belonging to your instance, existing queries, allows you to write your own queries, shows the results, and much more. First of all, choose Logs from the Microsoft Sentinel navigation section which takes you to the page having various sections like - Page Header, Tables Pane, Filter Pane, KQL Code Window, and Sample Queries/Results Window.

The Page Header

As the name suggests, it is situated at the top of the page containing various links like sample queries, the query explorer, settings, and help. These links can be used to write new queries or help with some predefined code. Its different buttons are explained below:

  • Sample queries- They assist you with starting to look at tables and you can use them as follows- 

  1. Click on the Sample queries button which will show you some sample queries along with the Computer availability button by default.
  2. By clicking on the Run button on any of the entries you can load the query and run it. 

  • Query explorer- This button is same as the Sample queries button except for the fact that it allows you to add your own queries to this listing. If any queries are marked as favorites, they can be seen on this one.

  1. By clicking on the Query explorer button, the Query explorer blade will be opened.
  2. Now, the expansion of Log Management entry will help you to view log management related queries list. 
  3. If you choose an All Syslog query and click on the star at its right side, it will be saved as favorite while turning the star black. 
  4. Clicking on any query will also load that query into the KQL window and its code widow's title will automatically change to match with the name of the selected query.  

  • Settings (the gear icon)- Few settings can also be modified by clicking on the Settings button to open the Settings blade where you can modify the following options-

  1. Date & Time- You can easily select a time zone to change the displaying of the date and time fields. By default, the fields will be displayed using Universal Time Coordinated (UTC) also called Greenwich Mean Time (GMT) or Zulu (Z). Local Time entry is also allowed so that you change the date and time according to your computer's local time zone. 
  2. Sort Results- You can easily select if you want to automatically sort the results with the help of TimeGenerated field or not. If this On, by default, then the results will be sorted using the TimeGenerated field otherwise they will be shown in whatever order they were sorted.
  3. Table View- This allows you view a number of rows on each page. Although you can select 50 rows which is the default 100, 150, and 200, but you can choose more rows to be shown on a single page.
  4. History Queries- It will simply let you know about the time period of the stored query history and how to clear it.  

  • Help (the book icon)- no name is given to it but it looks like a book and by clicking on it on the far-right side of the header, you can learn more about the Logs page with the help of the following options-

  1. Community can open a new tab and take you to the Azure Analytics Tech Community page.
  2. Language preference will open the KQL reference page in a new tab.
  3. Online course can open a new tab to take you to Pluralsight's page, where the free Kusto Query Language (KQL) from scratch course can be viewed.
  4. Start tour can restart the tour of the Logs page which can be helpful to remember how a certain feature works.
  5. What's new will open the Azure Log Analytics updates page in a new tab.




To read part 2, please click here




Comments

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

Work with String Data Using KQL Statements

Threat Hunting in Microsoft Sentinel (part 1)