Edit

Search across long time spans in large datasets

  • Article
  • Applies to:
    Microsoft Sentinel in the Azure portal, Microsoft Sentinel in the Microsoft Defender portal

Use a search job when you start an investigation to find specific events in logs up to seven years ago. You can search events across all your logs, including events in Analytics, Basic, and Archived log plans. Filter and look for events that match your criteria.

Important

Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Start a search job

Go to Search in Microsoft Sentinel from the Azure portal or the Microsoft Defender portal to enter your search criteria. Depending on the size of the target dataset, search times vary. While most search jobs take a few minutes to complete, searches across massive data sets that run up to 24 hours are also supported.

  1. For Microsoft Sentinel in the Azure portal, under General, select Search.
    For Microsoft Sentinel in the Defender portal, select Microsoft Sentinel > Search.

  2. Select the Table menu and choose a table for your search.

  3. In the Search box, enter a search term.

  4. Select the Start to open the advanced Kusto Query Language (KQL) editor and preview of the results for a set time range.

  5. Change the KQL query as needed and select Run to get an updated preview of the search results.

    Screenshot of KQL editor with revised search.

  6. When you're satisfied with the query and the search results preview, select the ellipses ... and toggle Search job mode on.

    Screenshot of KQL editor with revised search with ellipsis highlighted for Search job mode.

  7. Select the appropriate Time range.

  8. Resolve any KQL issues indicated by a squiggly red line in the editor.

  9. When you're ready to start the search job, select Search job.

  10. Enter a new table name to store the search job results.

  11. Select Run a search job.

  12. Wait for the notification Search job is done to view the results.

View search job results

View the status and results of your search job by going to the Saved Searches tab.

  1. In Microsoft Sentinel, select Search > Saved Searches.

  2. On the search card, select View search results.

    Screenshot that shows the link to view search results at the bottom of the search job card.

    By default, you see all the results that match your original search criteria.

  3. To refine the list of results returned from the search table, select Add filter.

  4. As you're reviewing your search job results, select Add bookmark, or select the bookmark icon to preserve a row. Adding a bookmark allows you to tag events, add notes, and attach these events to an incident for later reference.

    Screenshot that shows search job results with a bookmark in the process of being added.

  5. Select the Columns button and select the checkbox next to columns you'd like to add to the results view.

  6. Add the Bookmarked filter to only show preserved entries.

  7. Select View all bookmarks to go the Hunting page where you can add a bookmark to an existing incident.

Next steps

To learn more, see the following articles.