Performing Kusto and log queries
Sentinel stores data in a workspace, which is a database, and we can analyze this data using a query language called Kusto, which is a read-only SQL query language.
Kusto has a simple syntax; you define which data source and filters you want to apply to the search and where you can apply different filters to include or exclude certain attributes. depending on the data source.
So far, we have collected data in the SecurityEvents table, which contains the attributes listed here: https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/securityevent. It should be noted that for each table, different attributes will be available. The available data depends on what kind of data connectors have been enabled and configured.
Note
By default, all the data that is stored in the workspace is set to read-only, so you cannot delete data from the workspace using the UI. However, there is a Purge API that allows you to delete certain entries...
