Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Here’s a quick tip, but also a solid superpower you can unleash today.

I regularly get asked by Azure Sentinel customers about “how to know” the columns that are available to query against in the data tables. We have a couple methods to do this in the UI itself.

When you hover your mouse cursor over the specific table you want information on, an eyeball appears and then another information panel will display. This panel provides a Preview data option (which gives a data sampling to show live data), and there’s a Learn more option which links directly to our docs platform for that specific data table.

Get a data sample and table information

(Unfortunately, the Learn More…option is still under construction, btw. Sorry about that.)

You can also just kickoff a query against the table itself and either (1) export all columns to a CSV and review the schema there, or (2) laboriously sift through the other columns in the Columns drop-down.

Other methods to get schema information

The Holy Grail

But what if you could do this with a KQL query? Do you know about the getschema operator for KQL?

getschema is a powerful and useful operator for KQL.

| getschema

Simply use it against a table and all schema information about that table displays in the query results window (shown in the next image).

Schema information using KQL

Give it a try and let me know what you think.

With great power comes great responsibility

[Want to discuss this further? Hit me up on Twitter or LinkedIn]


One thought on “Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Leave a Reply