You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/use-search-jobs-microsoft-sentinel/includes/2-hunt-search-job.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,32 +3,35 @@ One of the primary activities of a security team is to search logs for specific
3
3
In Microsoft Sentinel, you can search across long time periods in large datasets by using a search job. While you can run a search job on any type of log, search jobs are ideally suited to search archived logs. If you need to do a full investigation on archived data, you can restore that data into the hot cache to run high performing queries and analytics.
4
4
5
5
## Search large datasets
6
+
6
7
Use a search job when you start an investigation to find specific events in logs within a given time frame. You can search all your logs to find events that match your criteria and filter through the results.
7
8
8
9
Search in Microsoft Sentinel is built on top of search jobs. Search jobs are asynchronous queries that fetch records. The results are returned to a search table that's created in your Log Analytics workspace after you start the search job. The search job uses parallel processing to run the search across long time spans, in large datasets. So search jobs don't impact the workspace's performance or availability.
9
10
10
11
Search results remain in a search results table that has a ***_SRCH** suffix.
11
12
12
13
## Supported log types
14
+
13
15
Use search to find events in any of the following log types:
14
16
15
17
- Analytics logs
16
-
- Basic logs
18
+
- Basic logs
19
+
- Auxiliary logs
17
20
18
21
## Limitations of a search job
22
+
19
23
Before you start a search job, be aware of the following limitations:
20
24
21
25
- Optimized to query one table at a time.
22
26
- Search date range is up to one year.
23
-
- Supports long running searches up to a 24-hour time-out.
27
+
- Supports long running searches up to a 24-hour timeout.
24
28
- Results are limited to one million records in the record set.
25
29
- Concurrent execution is limited to five search jobs per workspace.
26
30
- Limited to 100 search results tables per workspace.
27
31
- Limited to 100 search job executions per day per workspace.
28
32
29
-
30
-
31
33
## Start a search job
34
+
32
35
Go to Search in Microsoft Sentinel to enter your search criteria.
33
36
34
37
1. In the Azure portal, go to Microsoft Sentinel and select the appropriate workspace.
@@ -60,6 +63,3 @@ View the status and results of your search job by going to the Saved Searches ta
60
63
1. To refine the list of results returned from the search table, edit the KQL query.
61
64
62
65
1. As you're reviewing your search job results, bookmark rows that contain information you find interesting so you can attach them to an incident or refer to them later.
0 commit comments