Skip to content

Commit 817c2f6

Browse files
EdB-MSFTEdB-MSFT
committed
updates
1 parent b4b6bdc commit 817c2f6

File tree

2 files changed

+29
-11
lines changed

2 files changed

+29
-11
lines changed

articles/sentinel/datalake/kql-jobs.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: EdB-MSFT
66
ms.service: microsoft-sentinel
77
ms.topic: conceptual
88
ms.subservice: sentinel-graph
9-
ms.date: 07/15/2025
9+
ms.date: 08/12/2025
1010
ms.author: edbaynash
1111

1212
ms.collection: ms-security
@@ -119,6 +119,17 @@ You can create and manage jobs from the **Jobs** management page under **Data la
119119

120120
When creating jobs in the Microsoft Sentinel data lake, consider the following limitations and best practices:
121121

122+
## KQL
123+
124+
+ All KQL operators are supported except for the following:
125+
+ `adx()`
126+
+ `externaldata`
127+
+ `arg()`
128+
+ `Ingestion_time()`
129+
130+
+ User-defined functions not supported.
131+
132+
122133
## Jobs
123134
+ Job names must be unique for the tenant.
124135
+ Job names can be up to 256 characters.

articles/sentinel/datalake/kql-queries.md

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -14,37 +14,37 @@ ms.collection: ms-security
1414

1515
# Run KQL queries against the Microsoft Sentinel data lake (preview)
1616

17-
Data lake exploration in the Defender portal, provides a unified interface for analyzing your data lake, enabling you to run KQL (Kusto Query Language) queries, and create and manage jobs.
17+
Data lake exploration in the Defender portal provides a unified interface to analyze your data lake. It lets you run KQL (Kusto Query Language) queries, create jobs, and manage them.
1818

19-
The **KQL queries** page under **Data lake exploration** allows you to edit and run KQL queries against data lake resources. You can create jobs to promote data from the data lake to the analytics tier. Jobs can be run on-demand or scheduled. The **Jobs** page provides an interface to manage jobs, enabling, disabling, editing, or deleting jobs. For more information, see [Create jobs in the Microsoft Sentinel data lake (preview)](kql-jobs.md).
19+
The **KQL queries** page under **Data lake exploration** lets you edit and run KQL queries on data lake resources. Create jobs to promote data from the data lake to the analytics tier. Run jobs on demand or schedule them. The **Jobs** page lets you manage jobs. Enable, disable, edit, or delete jobs. For more information, see [Create jobs in the Microsoft Sentinel data lake (preview)](kql-jobs.md).
2020

2121
## Prerequisites
2222

23-
The following prerequisites are required to run KQL queries in the Microsoft Sentinel data lake.
23+
The following prerequisites are needed to run KQL queries in the Microsoft Sentinel data lake.
2424

2525
### Onboard to the data lake
2626

27-
KQL queries can be run in the Microsoft Defender portal after the onboarding process is complete. For more information on onboarding, see [Onboarding to Microsoft Sentinel data lake](sentinel-lake-onboarding.md).
27+
You can run KQL queries in the Microsoft Defender portal after completing the onboarding process. For more information on onboarding, see [Onboarding to Microsoft Sentinel data lake](sentinel-lake-onboarding.md).
2828

2929
### Permissions
3030

31-
Microsoft Entra ID roles provide broad access across all workspaces in the data lake. Alternatively you can grant access to individual workspaces using Azure RBAC roles. Users with Azure RBAC permissions to Microsoft Sentinel workspaces can run KQL queries against those workspaces in the data lake tier. For more information on roles and permissions, see [Microsoft Sentinel data lake roles and permissions](../roles.md#roles-and-permissions-for-the-microsoft-sentinel-data-lake-preview).
31+
Microsoft Entra ID roles let you access all workspaces in the data lake. Alternatively, you can grant access to individual workspaces using Azure RBAC roles. Users with Azure RBAC permissions for Microsoft Sentinel workspaces can run KQL queries against those workspaces in the data lake tier. For more information on roles and permissions, see [Microsoft Sentinel data lake roles and permissions](../roles.md#roles-and-permissions-for-the-microsoft-sentinel-data-lake-preview).
3232

3333

3434
## Write KQL queries
3535

36-
Writing queries for the data lake is similar to writing queries in the advanced hunting experience. You can use the same KQL syntax and functions including. KQL supports machine learning functions and advanced analytics. The query editor provides a powerful interface for writing and running KQL queries, with features such as IntelliSense and autocomplete to help you write your queries efficiently. For a detailed overview of KQL syntax and functions, see [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/).
36+
Writing queries for the data lake is similar to writing queries in the advanced hunting experience. You can use the same KQL syntax and functions. KQL supports advanced analytics and machine learning functions. The query editor offers an interface for running KQL queries with features like IntelliSense and autocomplete to help you write efficiently. For a detailed overview of KQL syntax and functions, see [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/).
3737

3838

3939
## KQL queries in the Defender portal
4040

41-
Select **New query** to create a new query tab. Your last query in each tab is saved. Switch between tabs to work on multiple queries simultaneously.
41+
Select **New query** to create a new query tab. The last query in each tab is saved. Switch between tabs to work on multiple queries simultaneously.
4242

43-
:::image type="content" source="media/kql-queries/query-editor.png" alt-text="A screenshot showing the advanced hunting page in the Defender portal." lightbox="media/kql-queries/query-editor.png":::
43+
:::image type="content" source="media/kql-queries/query-editor.png" alt-text="Screenshot of the advanced hunting page in the Defender portal." lightbox="media/kql-queries/query-editor.png":::
4444

4545
### Select a workspace
4646

47-
Queries are run against a single workspace. Choose your workspace in the upper right corner of the query editor using the **Selected workspace** dropdown. The workspace you select determines the data available for querying. The *default* workspace contains data from Microsoft Entra, Microsoft 365, and Microsoft Resource Graph.
47+
Queries run against a single workspace. Select a workspace in the upper right corner of the query editor using the **Selected workspace** dropdown. The workspace you select determines the data available for querying. The **default** workspace contains data from Microsoft Entra, Microsoft 365, and Microsoft Resource Graph.
4848

4949
> [!NOTE]
5050
> The selected workspace applies to all query tabs in the query editor.
@@ -108,8 +108,15 @@ external_table("microsoft.entra.id.AADRiskyUsers")
108108
+ `.show database`
109109

110110
+ Using out of the box or custom functions isn't supported in KQL queries against the data lake.
111+
111112
+ Calling external data via KQL query against the data lake isn't supported.
112-
+ `Ingestion_time()` function isn't supported on tables in data lake.
113+
114+
+ All KQL operators are supported except for the following:
115+
+ `adx()`
116+
+ `externaldata()`
117+
+ `arg()`
118+
+ `Ingestion_time()`
119+
113120

114121
[!INCLUDE [Service limits for KQL queries against the data lake](../includes/service-limits-kql-queries.md)]
115122

0 commit comments

Comments
 (0)