Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop Understanding Sentinel datalake and graph

Task 02: Create a recurring operational job

Introduction

Recurring KQL jobs continuously process incoming telemetry for near-real-time analytics or dashboard metrics.

Description

You’ll schedule a recurring job that aggregates Security Alert data every 15 minutes by severity.

Success criteria

  • A recurring KQL job named QuarterHourly_Alert_Trend is created and active.
  • The job runs automatically every 15 minutes.
  • Output table AlertSummary_15m_KQL_CL is populated and queryable.

Key steps:

  1. Open the KQL job wizard and create a new job with the following details:

    Expand here for detailed steps
    1. In the Defender portal, go to Microsoft Sentinel > Data Lake exploration > KQL queries.
    2. In the upper right of the query, select Create job.

    3. On the Name & details page, enter the following and select Next:

      Item Value
      Job name: QuarterHourly_Alert_Trend
      Description: 15-minute recurring alert trend by severity
      Destination workspace: law-sentinel-xdr-lab
      New table name: AlertSummary_15m_KQL_CL

    4. On the Query page, define and validate the query by entering the following and select Next:

       SecurityAlert 
 | where TimeGenerated > ago(64h) 
 | extend Severity = tostring(column_ifexists("Severity", "Unknown")) 
 | summarize Alerts = count() by bin(TimeGenerated, 15m), Severity 
 | order by TimeGenerated desc

      Exc7__img3.png

    5. On the Schedule page, configure schedule and limits.

      • Set Job frequency to Scheduled.
      • Under Schedule interval, configure:
        • Run every: 15 minutes
        • Start time: Next quarter-hour mark
      • Review the schedule summary. {: .note }The schedule summary confirms: The job runs every 15 minutes.

      Exc7__img4.png

    6. Select Next.

    7. Verify the details and select Submit.

      • Job name: QuarterHourly_Alert_Trend
      • Destination table: AlertSummary_15m_KQL_CL
      • Workspace: law-sentinel-xdr-lab1
      • Frequency: Every 15 minutes
      • Query: Your validated KQL

    8. Select Done.

      Exc7__img12.png

  2. Verify recurring job execution.

    Expand here for detailed steps
    1. In the Defender portal, go to Microsoft Sentinel > Data Lake exploration > Jobs.
    2. Confirm metrics such as Total jobs, Enabled jobs, and Completed.

    3. Verify QuarterHourly_Alert_Trend, status should show Succeeded after 15 minutes.

      Exc7__img13.png

    4. To view history, open the job pane and select View history.

      Exc7__img14.png

  3. Explore the job output.

    Expand here for detailed steps

    1. In the Defender portal, go to Microsoft Sentinel > Data Lake exploration > KQL queries.

    2. Run the following query:

       AlertSummary_15m_KQL_CL 
 | where TimeGenerated > ago(24h) 
 | summarize TotalAlerts = sum(Alerts) by Severity 
 | render barchart

      Exc7__img15.png