Microsoft Sentinel Search

Create Search

You can trigger a Search job with ‘create_search’. When calling this function, you can pass the following parameters:

• ‘query’: the KQL query to run for the search.

• ‘start’: the start time of the search. The default is 90 days ago.

• ‘end’: the end time of the search. The default is now.

• ‘search_name’: the name to give the search. The default is a random GUID.

• ‘timespan’: if not passing start and end times you can provide a TimeSpan object.

• ‘limit’: the max number of results to return, default is 1000.

See create_search

sentinel.create_search(query="SecurityEvent | where * contains 'infected.exe'", search_name="docssearch")

Check Search Status

Complex Searches can take some time to complete. You can check the status of a search job with check_search_status.

Pass the function a Search job name and it will display the current status. If the Search results are ready for querying it will return True, otherwise False.

sentinel.check_search_status("docssearch")

If this funciton returns True you can run queries against the KQL table with the Search name to see the results. Note the table name has ‘_SRCH’ appended to the name provider to create_search:

qry_prov.exec_query("docssearch_SRCH | take 10")

Delete a Search

Once a Search job is not longer useful you can delete it with delete_search. This deletes the table associated with the search.

sentinel.delete_search("docssearch")