The Basic Logs for Microsoft Sentinel KQL Limitations

In a recent post that caught a lot of attention, I outlined the do’s and don’ts for using the Basic Logs feature with Microsoft Sentinel.

See: When to Use and When NOT to Use Basic Logs with Microsoft Sentinel

One the limitations of Basic Logs is that it only supports a subset of the KQL operators, which means you won’t be able to utilize Basic Logs data for Analytics Rules and other necessary Microsoft Sentinel functions.

But some have asked, what exactly are the KQL limitations. Because the list of what’s NOT supported is pretty huge, it’s easier to show what is supported.

Here’s the list of KQL operators you can use with Basic Logs:

  • where
  • extend
  • project
  • project-away
  • project-keep
  • project-rename
  • project-reorder
  • parse
  • parse-where

As you can see, important things like join and union aren’t supported. But when you consider that Basic Logs are only stored for 8 days, this makes sense.

As I stated in the earlier post

When you need to surface and expose the data in those types of logs, it’s because you have identified that a critical situation already exists, and you need the data from those logs to confirm the suspicious activity and to add additional context to the investigation. 

Obviously, with anything we do even this will probably change over time, but the definitive list will always be in our Docs at: Query Basic Logs in Azure Monitor


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]


3 thoughts on “The Basic Logs for Microsoft Sentinel KQL Limitations

Leave a Reply