Azure Sentinel | Enterprise Guide | English (2024)

FAQs

What query language does Azure Sentinel use? ›

KQL is the query language used to perform analysis on data to create analytics, workbooks, and perform hunting in Microsoft Sentinel. Learn how basic KQL statement structure provides the foundation to build more complex statements.

Querying in Microsoft Sentinel requires knowledge of the Kusto Query Language (KQL). Here is a great tutorial from Microsoft on the basics of how to get started with KQL.

But there are some key differences that might factor into your decision-making: Microsoft Sentinel is generally rated as being easier to use, set up, and administrate. Splunk generally gets better ratings for quality of support and ease of doing business.

The most obvious difference is their approach: Microsoft Sentinel takes a more comprehensive, holistic approach to security, while SentinelOne focuses more on your endpoints. Microsoft Sentinel specialises in threat intelligence, monitoring, and incident analysis.

KQL is a beautifully simple query language to learn.

Microsoft Sentinel's security analytics data is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data analyzed in Microsoft Sentinel and stored in the Log Analytics workspace. The cost of both is combined in a simplified pricing tier.

C#: C# is a popular programming language used for developing applications on the . NET framework. It is widely supported by Azure services and is commonly used for writing Azure DevOps pipelines, custom build tasks, and automation scripts.

You can host your whole application on the Azure platform or enhance on-premises applications with Azure services. Microsoft Azure supports today's most widely used programming languages such as Python, Java, JavaScript, . NET and Go.

Azure Sentinel is a Microsoft cloud-native security SIEM (Security Information and Event Manager) and SOAR (Security Orchestration Automated Response) product.

Who uses Azure Sentinel? ›

Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.

Threat intelligence: Both SentinelOne and CrowdStrike provide threat intelligence services, but CrowdStrike's Falcon Intelligence module offers more comprehensive, actionable intelligence feeds, reports, and API access.

Automated Threat Detection and Response

Microsoft Azure Sentinel helps you detect and respond to threats automatically with its playbook feature and integration with Azure Logic Apps. The cloud-native SIEM solution makes an incident whenever an alert is triggered.

Supercharge your cyberthreat protection with a unified platform. and disrupt cyberthreats in near real time, streamline investigation and response, and provide guided recommendations to help prevent repeat and future cyberattacks. Microsoft Sentinel is a cloud-native SIEM tool.

It is very similar to SQL with a sequence of statements, where the statements are modeled as a flow of tabular data output from the previous statement to the next statement. These statements are concatenated with a pipe (|) character.

The query language used within Microsoft Sentinel is called Kusto Query Language (KQL).

Click on the + sign to “Add an action”. Type run query in the search box and select “Run query and list results” in the “Azure Monitor Logs” section. In the Parameters section, input all the data that refers to your Azure environment. You input your KQL query in the Query box.

Kusto Query Language, or KQL, is a read-only request language used to write queries for Azure Data Explorer (ADX), Azure Monitor Log Analytics, Azure Sentinel, and more. The request is stated in plain text, using a data-flow model that is easy to read, author, and automate.