Example Microsoft Azure Sentinel queries

You can query Sophos Cloud Optix data in Microsoft Azure Sentinel.

When Microsoft Azure Sentinel integration is turned on, events appear in your Microsoft Azure portal, in the overview section of your Sentinel workspace. You can use Kusto Query Language (KQL) in Sentinel to find relevant events from Sophos Cloud Optix.

Click your log type, which you added while configuring Sentinel integration. The default is SophosCloudOptix_CL. A blank query opens in the query editor.

Enter queries into the editor. They begin with a table name or a search command.

The pipe (|) character separates commands and the output of the first command becomes the input of the next command. You can add any number of commands to a single query.

Table 1. Examples of Microsoft Azure Sentinel queries

Query objective

Example query

Get all records for the last 7 days.

SophosCloudOptix_CL | where TimeGenerated > ago(7d)

Get all records for the last 7 days, limiting the results to 100.

SophosCloudOptix_CL |

where TimeGenerated > ago(7d) | limit 100

Search for Azure spend in any of the event properties in the last 7 days.

SophosCloudOptix_CL | where TimeGenerated > ago(7d) |

search "Azure spend"

Search for Azure spend in any event properties in the last 7 days, and view the top 5 results, sorted by firstSeen column.

SophosCloudOptix_CL | where TimeGenerated > ago(7d) |

search "Azure spend" | top 5 by firstSeen_s

Search for all events raised in the last 7 days, related to CIS policy, with HIGH severity.

SophosCloudOptix_CL | where TimeGenerated > ago(7d) |

where severity_s == 'HIGH' and policyTagName_s contains "cis"

Search all events in the last 15 days and group by account ID.

SophosCloudOptix_CL | where TimeGenerated > ago(15d) |

where severity_s == 'HIGH' | summarize count() by accountId_s

Use project to get a customized table view. This example gets a customized view of AlertID, Severity, AlertState, Account, and Lastseen, reformatted to return just the date.

SophosCloudOptix_CL | top 100 by TimeGenerated |

project alertId_s,severity_s,alertState_s,account=accountId_s,

LastSeenDate=substring(lastSeen_s, 0, 10)