Logs
This page is your way of interacting with logs stored within the Sentinel/Log analytics workspace.
The page itself is pretty basic, when you first open it you will likely have some example queries available to be run.
Once you close this you will see on the left-hand side the tables available to you, note that by default only tables containing data are displayed, there is an option to display all tables in your log analytics workspace if desired. If you click on a table you can see its schema.
In the very top center you will see some options, such as running your query, exporting the data returned by a query or switching to a more friendly GUI version of KQL.
Just below that you will see the actual query window where you will place your KQL.
On the very bottom you will see past queries you have run, once you have run a query this is where the results will be returned.
KQL
KQL has an interesting history, if I can ever find the story documented I will be sure to share it here!
Microsoft has increased their investment and use of KQL extensively in the past few years, if you are not familiar with KQL and work in Microsoft environments I would highly recommend learning KQL, it is even getting some usage outside the Microsoft environment.
As someone who has worked extensively within Windows/Microsoft environments, I personally like to say KQL is SQL meets PowerShell. The query itself is a query language but the syntax and flow is more akin to PowerShell.
In traditional SQL you might do something like:
Where in KQL you would grab the same data like this:
Like PowerShell, you start by choosing a data source, filtering that data down, then selecting which columns you are interested in, as illustrated in this fake PowerShell query :
KQL resources
I will add KQL resources as I find them here. Currently, I have just one, it is great to think outside the box, but I did not find it to be a great initial training resource as it does not give you solutions or queries to try.