What’s New: Azure Sentinel Hunting supports ADX cross-resource queries

Published Jul 14 2021 12:00 PM 2,401 Views
Microsoft

Now in preview, you can use Azure Data Explorer (ADX) cross-resource queries from with-in the hunting query page, the livestream page, and the logs (Log Analytics) page. Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors.  

 

You can learn more about sending logs from Azure Sentinel to Azure Data Explorer for long-term retention here: Integrate Azure Data Explorer for long-term log retention

 

Creating cross-resource queries  

To query data stored in ADX clusters, simply use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table.  If you have access to an ADX cluster with active data, it is super easy to try.

 

Here is a brief summary of the adx() function syntax to help get you started:

adx(“<Cluster URI>/<Database Name>).<Table Name>

 

Here is an example query that accesses public data:

adx("https://help.kusto.windows.net/Samples").StormEvents | take 5

You can find the full details here: Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer

 

Using cross-resource queries on the hunting queries, livestream, and logs pages 

Once you know how to construct cross-reference queries, using them in the hunting experience is easy. Go to the hunting queries page and click "+ New query" to create a new custom query.  Add your cross-resource query to the "Custom Query" field as you would for any other hunting query.

ADX_Hunting_Query.png

 

The process is similar for the livestream experience. On the hunting page livestream tab, click "+ New Livestream"  to open the livestream query authoring experience:

ADX_Livestream.png

 

You can also create cross-resource queries directly in the Azure Sentinel Logs (Log Analytics) experience. This is very convenient when iterating on and refining your queries during the hunting process, as well as diagnosing and resolving query errors.

BenNick_0-1625790289375.png

 

Additional Information

There are no performance guarantees for querying over ADX data from Azure Sentinel.  Additionally, this preview only supports cross-resource queries for the previously mentioned features.  Features such as Analytics do not support cross-resource queries.

 

Learn more:

Find out more about the following topics:

 

 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2530678%22%20slang%3D%22en-US%22%3EWhat%E2%80%99s%20New%3A%20Azure%20Sentinel%20Hunting%20supports%20ADX%20cross-resource%20queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2530678%22%20slang%3D%22en-US%22%3E%3CP%3ENow%20in%20preview%2C%20you%20can%20use%20Azure%20Data%20Explorer%20(ADX)%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fazure-monitor-data-explorer-proxy%23cross-query-your-log-analytics-or-application-insights-resources-and-azure-data-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ecross-resource%20queries%3C%2FA%3E%20from%20with-in%20the%20hunting%20query%20page%2C%20the%20livestream%20page%2C%20and%20the%20logs%20(Log%20Analytics)%20page.%20Although%20Log%20Analytics%20remains%20the%20primary%20data%20storage%20location%20for%20performing%20analysis%20with%20Azure%20Sentinel%2C%20there%20are%20cases%20where%20ADX%20is%20required%20to%20store%20data%20due%20to%20cost%2C%20retention%20periods%2C%20or%20other%20factors.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20%20BCX8%20SCXW253823728%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW253823728%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW253823728%22%20data-ccp-parastyle%3D%22Normal%20(Web)%22%3EYou%20can%20learn%20more%20about%20sending%20logs%20from%20Azure%20Sentinel%20to%20Azure%20Data%20Explorer%20for%20long-term%20retention%20here%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20%20BCX8%20SCXW253823728%22%3E%3CSPAN%20class%3D%22TrackedChange%20%20BCX8%20SCXW253823728%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW253823728%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW253823728%22%20data-ccp-parastyle%3D%22Normal%20(Web)%22%3E%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fstore-logs-in-azure-data-explorer%3Ftabs%3Dadx-event-hub%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EIntegrate%20Azure%20Data%20Explorer%20for%20long-term%20log%20retention%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECreating%20cross-resource%20queries%26nbsp%3B%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20query%20data%20stored%20in%20ADX%20clusters%2C%20simply%20use%20the%20adx()%20function%20to%20specify%20the%20ADX%20cluster%2C%20database%20name%2C%20and%20desired%20table.%20You%20can%20then%20query%20the%20output%20as%20you%20would%20any%20other%20table.%26nbsp%3B%20If%20you%20have%20access%20to%20an%20ADX%20cluster%20with%20active%20data%2C%20it%20is%20super%20easy%20to%20try.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20a%20brief%20summary%20of%20the%20adx()%20function%20syntax%20to%20help%20get%20you%20started%3A%3C%2FP%3E%0A%3CPRE%3Eadx(%E2%80%9C%26lt%3B%3CEM%3ECluster%20URI%26gt%3B%3C%2FEM%3E%2F%26lt%3B%3CEM%3EDatabase%20Name%26gt%3B%3C%2FEM%3E).%26lt%3B%3CEM%3ETable%20Name%26gt%3B%3C%2FEM%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20an%20example%20query%20that%20accesses%20public%20data%3A%3C%2FP%3E%0A%3CPRE%3Eadx(%22https%3A%2F%2Fhelp.kusto.windows.net%2FSamples%22).StormEvents%20%7C%20take%205%3C%2FPRE%3E%0A%3CP%3EYou%20can%20find%20the%20full%20details%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fazure-monitor-data-explorer-proxy%23cross-query-your-log-analytics-or-application-insights-resources-and-azure-data-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECross-query%20your%20Log%20Analytics%20or%20Application%20Insights%20resources%20and%20Azure%20Data%20Explorer%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUsing%20cross-resource%20queries%20on%20the%20hunting%20queries%2C%20livestream%2C%20and%20logs%20pages%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOnce%20you%20know%20how%20to%20construct%20cross-reference%20queries%2C%20using%20them%20in%20the%20hunting%20experience%20is%20easy.%20Go%20to%20the%20hunting%20queries%20page%20and%20click%20%22%2B%20New%20query%22%20to%20create%20a%20new%20custom%20query.%26nbsp%3B%20Add%26nbsp%3Byour%20cross-resource%20query%20to%20the%20%22Custom%20Query%22%20field%20as%20you%20would%20for%20any%20other%20hunting%20query.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ADX_Hunting_Query.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F295553i9584B21183044FA7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ADX_Hunting_Query.png%22%20alt%3D%22ADX_Hunting_Query.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%26nbsp%3Bprocess%20is%20similar%20for%20the%20livestream%20experience.%20On%20the%20hunting%20page%20livestream%20tab%2C%20click%20%22%2B%20New%20Livestream%22%26nbsp%3B%20to%20open%20the%20livestream%20query%20authoring%20experience%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ADX_Livestream.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F295554i070238BF4FAA27D9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ADX_Livestream.png%22%20alt%3D%22ADX_Livestream.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20create%20cross-resource%20queries%20directly%20in%20the%20Azure%20Sentinel%20Logs%20(Log%20Analytics)%20experience.%20This%20is%20very%20convenient%20when%20iterating%20on%20and%20refining%20your%20queries%20during%20the%20hunting%20process%2C%20as%20well%20as%20diagnosing%20and%20resolving%20query%20errors.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22BenNick_0-1625790289375.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294522i7558DA2E982C40BC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BenNick_0-1625790289375.png%22%20alt%3D%22BenNick_0-1625790289375.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20Information%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThere%20are%20no%20performance%20guarantees%20for%20querying%20over%20ADX%20data%20from%20Azure%20Sentinel.%26nbsp%3B%20Additionally%2C%20this%20preview%20only%20supports%20cross-resource%20queries%20for%20the%20previously%20mentioned%20features.%26nbsp%3B%20Features%20such%20as%20Analytics%20do%20not%20support%20cross-resource%20queries.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELearn%20more%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFind%20out%20more%20about%20the%20following%20topics%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECross-resource%20queries%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fazure-monitor-data-explorer-proxy%23cross-query-your-log-analytics-or-application-insights-resources-and-azure-data-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECross-query%20your%20Log%20Analytics%20or%20Application%20Insights%20resources%20and%20Azure%20Data%20Explorer%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EUsing%20hunting%20queries%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fhunting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHunt%20for%20threats%20with%20Azure%20Sentinel%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EUsing%20livestream%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Flivestream%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUse%20hunting%20livestream%20in%20Azure%20Sentinel%20to%20detect%20threats%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20%20BCX8%20SCXW253823728%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW253823728%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW253823728%22%20data-ccp-parastyle%3D%22Normal%20(Web)%22%3ESending%20logs%20from%20Azure%20Sentinel%20to%20Azure%20Data%20Explorer%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20%20BCX8%20SCXW253823728%22%3E%3CSPAN%20class%3D%22TrackedChange%20%20BCX8%20SCXW253823728%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW253823728%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW253823728%22%20data-ccp-parastyle%3D%22Normal%20(Web)%22%3E%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fstore-logs-in-azure-data-explorer%3Ftabs%3Dadx-event-hub%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EIntegrate%20Azure%20Data%20Explorer%20for%20long-term%20log%20retention%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2530678%22%20slang%3D%22en-US%22%3E%3CP%3ENow%20in%20preview%2C%20the%20Azure%20Sentinel%20hunting%20experience%20enables%20you%20to%20run%20queries%20with%20data%20stored%20in%20Azure%20Data%20Explorer%20(ADX)%20data%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flogs%2Fazure-monitor-data-explorer-proxy%23cross-query-your-log-analytics-or-application-insights-resources-and-azure-data-explorer%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ecross-resource%20queries%3C%2FA%3E.%20%26nbsp%3BUse%20this%20capability%20to%20hunt%20over%20a%20wider%20set%20of%20data%20and%20view%20the%20results%20in%20the%20Azure%20Sentinel%20hunting%20experience.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Jul 13 2021 10:09 AM
Updated by:
www.000webhost.com