Introduction
Microsoft Sentinel collects log data that is stored in tables. The Logs page in Microsoft Sentinel provides a user interface to build and view query results using the Kusto Query Language (KQL). KQL is the query language used to perform data analysis to create analytics, workbooks, and perform hunting with Microsoft Sentinel.
You're a Security Operations Analyst working at a company that is implementing Microsoft Sentinel. You must explore the tables available in your workspace. The Logs page using Microsoft Sentinel allows you to write Kusto Query Language (KQL) statements to view data stored in the tables. When you connect log data to the Microsoft Sentinel workspace, the connectors will write data to specific tables.
You need to have a basic understanding of the provided tables and their intended purpose. For example, the "SecurityEvents" table is designed for Windows Security Event log data. With this knowledge, you'll be able to query the required tables to use in your search for malicious activity.
After completing this module, you'll be able to:
- Use the Logs page to view data tables with Microsoft Sentinel
- Query the most used tables using Microsoft Sentinel
Prerequisites
Basic knowledge of operational concepts such as monitoring, logging, and alerting