This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 95%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Azure Sentinel changed about a month ago the Log page GUI. It added a default Simple Mode, which does not seem to allow to enter KQL query by typing. The KQL mode, much more practical, needs to be selected over and over in the right side of the screen. Is there a way to go directly to KQL mode of the Log page?
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 70%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
I am also having the same problem, we can't be alone. When I'm flying through a few incidents there is nothing more infuriating than having to select "KQL Mode" in Sentinel as if the "Simple Mode" makes anything quicker. I hate it.
Answer accepted by question author
Just figured it out, go to the LAW window, click the three dots near where it says "Simple Mode" or "KQL Mode" and select the "Log Analytics Settings", in there you can set default mode to show KQL mode without selecting each time!
Right on the target, Cam C: changing Log Analytics Settings to KQL mode works and is persistent. Thank you!
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more