Tip: Turning on Search Job Mode in the Microsoft Sentinel Logs Blade
Searching for Search
Search Jobs in Microsoft Sentinel enable you to search across long time spans in large datasets by using an asynchronous query that fetches records from your logs. You can use a search job when you start an investigation to find specific events that match your criteria and filter through the results. You can also use the KQL search operator to refine your query and preview the results before starting the search job. The results of the search job are stored in a new table that you can view, filter, bookmark, and add to an incident. Search jobs are useful for hunting for threats and anomalies in logs up to seven years ago.
It’s important and valuable enough that it has its very own section in the list of Microsoft Sentinel menu blades.
But did you know you can turn a standard KQL query session in the logs blade into a Search Job?
On the top, right-hand side of the screen in the Logs blade for Microsoft Sentinel, click or tap the ellipsis (three dots) in the horizontal menu and toggle the switch to enable Search Job mode.
Once enabled, the Run button turns into a Search Job button.
This should save you a couple clicks.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]