Here’s a quick tip, but also a solid superpower you can unleash today.
I regularly get asked by Azure Sentinel customers about “how to know” the columns that are available to query against in the data tables. We have a couple methods to do this in the UI itself.
When you hover your mouse cursor over the specific table you want information on, an eyeball appears and then another information panel will display. This panel provides a Preview data option (which gives a data sampling to show live data), and there’s a Learn more option which links directly to our docs platform for that specific data table.
(Unfortunately, the Learn More…option is still under construction, btw. Sorry about that.)
You can also just kickoff a query against the table itself and either (1) export all columns to a CSV and review the schema there, or (2) laboriously sift through the other columns in the Columns drop-down.
The Holy Grail
But what if you could do this with a KQL query? Do you know about the getschema operator for KQL?
getschema is a powerful and useful operator for KQL.
OfficeActivity
| getschemaSimply use it against a table and all schema information about that table displays in the query results window (shown in the next image).
Give it a try and let me know what you think.
With great power comes great responsibility
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
One thought on “Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data”
You must log in to post a comment.