Using livestream: Use hunting livestream in Azure Sentinel to detect threats.Using hunting queries: Hunt for threats with Azure Sentinel.Cross-resource queries: Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer.Features such as Analytics do not support cross-resource queries.įind out more about the following topics:
Additionally, this preview only supports cross-resource queries for the previously mentioned features. There are no performance guarantees for querying over ADX data from Azure Sentinel. This is very convenient when iterating on and refining your queries during the hunting process, as well as diagnosing and resolving query errors. You can also create cross-resource queries directly in the Azure Sentinel Logs (Log Analytics) experience. On the hunting page livestream tab, click "+ New Livestream" to open the livestream query authoring experience: The process is similar for the livestream experience.
Add your cross-resource query to the "Custom Query" field as you would for any other hunting query. Go to the hunting queries page and click "+ New query" to create a new custom query.
Once you know how to construct cross-reference queries, using them in the hunting experience is easy. Using cross-resource queries on the hunting queries, livestream, and logs pages
You can find the full details here: Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer Here is an example query that accesses public data: adx("").StormEvents | take 5 Here is a brief summary of the adx() function syntax to help get you started: adx(“/). If you have access to an ADX cluster with active data, it is super easy to try. You can then query the output as you would any other table. To query data stored in ADX clusters, simply use the adx() function to specify the ADX cluster, database name, and desired table. You can learn more about sending logs from Azure Sentinel to Azure Data Explorer for long-term retention here : Integrate Azure Data Explorer for long-term log retention Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors. Now in preview, you can use Azure Data Explorer (ADX) cross-resource queries from with-in the hunting query page, the livestream page, and the logs (Log Analytics) page.