Share via

Is there a way to perform the user lookup directly from KQL to AzureAD via API yet?

Pat Santidhanyaroj 20 Reputation points
2023-02-24T21:45:54.32+00:00

Hi all,

I have been reading many articles and still can't find the answer. I know we can do some simple things like fetch the table that has the user's information and join it to the one we want to enrich data on KQL.

However, I am thinking it would be better if we can just perform a user lookup in real-time through our Azure AD in the query. I am not sure this solution has been available via KQL yet. If anyone knows and shares it with me, that'd be very appreciated.

Thank you,

Pat

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
0 comments
Accepted answer
  1. Clive Watson 5,951 Reputation points MVP
    2023-02-27T15:16:18.4766667+00:00

    This isn't a current capability. You have to first bring the data into a Table or use an existing Table (the Tables can be in another Workspace or even ADX).

    This is possible in a Azure Monitor or a Sentinel Workbook - you can call an API (using ARM) and MERGE the data with a KQL query.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest