Microsoft Sentinel - Add note to table or function in KQL

jake stewart 0 Reputation points
2024-07-17T11:55:15.95+00:00

Hello

I was wondering if there is a way to attach a note to a specific table or function in KQL so that an analyst using the table will see it when they use it in a query?

I work for an MSSP providing managed Sentinel SIEM. Analyst will regularly create queries to investigate activity, however some log sources may have some filtering applied, e.g two servers regularly speaking to each other might have logs for certain ports filtered due to log volume.

In this example, If an analyst is unaware there is filtering in place either in Sentinel tables or at the log collector, they may mistakenly think the two servers are not communicating over a specific protocol. Being able to add a note specifying what logs are being filtered would be quite useful and would save time compared to checking documentation/logging config.

Is this currently a feature in Sentinel/KQL or is there something similar?

If not, i believe this would be a great addition for MSSP's, maybe an underline that provides more info when hovering over it, similar to the current red or purple underlines.

Thank you

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,221 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 7,006 Reputation points MVP
    2024-07-18T16:26:16.8466667+00:00
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.