merge main

Author: b-ahibbard

articles/sentinel/TOC.yml

@@ -16,6 +16,9 @@
     href: microsoft-sentinel-defender-portal.md
 - name: Data lake exploration
   items:  
+  - name: Compare KQL jobs, summary rules, and search jobs
+    href: datalake/kql-jobs-summary-rules-search-jobs.md
+    displayName: data lake
   - name: KQL for data lake exploration
     items:
     - name: Overview 

articles/sentinel/datalake/kql-jobs-summary-rules-search-jobs.md

@@ -0,0 +1,81 @@
+---  
+title: Compare KQL jobs, summary rules, and search jobs
+titleSuffix: Microsoft Security  
+description: Compare KQL jobs, summary rules, and search jobs in Microsoft Sentinel to choose the best tool for querying and analyzing security data.
+author: EdB-MSFT  
+ms.service: microsoft-sentinel  
+ms.topic: how-to
+ms.subservice: sentinel-graph
+ms.date: 08/19/2025
+ms.author: edbaynash  
+
+ms.collection: ms-security  
+
+# Customer intent: As a security analyst, I need to choose the right tool for querying and analyzing data in Microsoft Sentinel.
+
+---
+
+# Compare KQL jobs, summary rules, and search jobs
+
+This article compares KQL jobs, summary rules, and search jobs in Microsoft Sentinel. These features let you query and analyze data in Microsoft Sentinel, and each serves different purposes and use cases.
+
++ **KQL jobs**: Run one-time or scheduled asynchronous queries on data stored in the Microsoft Sentinel data lake. They're best for incident investigations using historical logs, enrichment using low-fidelity logs, and scenarios that need queries with joins or unions across multiple tables. For more information, see [KQL jobs](kql-jobs.md).
+
++ **Summary rules**: Run scheduled queries that aggregate and store insights from large sets of log data. They're ideal for frequent summarization tasks, like aggregating high-volume logs such as network insights. These rules run in the background and populate custom tables in Log Analytics. For more information, see [Summary rules](../summary-rules.md).
+
++ **Search jobs**: Run one-time, long-running asynchronous queries across large datasets. Search jobs are useful when you need to hydrate large volumes of data from a single table into a new custom table within the Analytics tier as a one-time operation for further investigation or forensic analysis. For more information, see [Search jobs](../search-jobs.md).
+
+## Feature comparison
+
+| Feature              | KQL Jobs                               | Summary Rules                      | Search jobs                      |
+|----------------------|----------------------------------------|------------------------------------|----------------------------------|
+| **Purpose**          | Run ad-hoc or scheduled queries for investigation and enrichment   | Aggregate and store insights from high-volume logs        | Run async queries on large datasets to store results in the analytics tier  |
+| **Data tier**        | Microsoft Sentinel data lake tier   | Analytics, auxiliary, basic, data lake (except for tables in the default workspace)       | Analytics, auxiliary, basic, data lake (except for tables in the default workspace) |     
+| **Workspace scope**  | Any Microsoft Sentinel workspace connected to Microsoft Defender | Any Microsoft Sentinel workspace connected to Microsoft Defender | Any Microsoft Sentinel workspace  |
+| **Table scope**      | Multiple tables                     | Multiple tables                                     | Single table                                                        |
+| **Query language**   | [KQL jobs supported operators](kql-jobs.md#considerations-and-limitations)   | KQL <br>All KQL operators supported except for:<br>•	[Cross-resource queries](/azure/azure-monitor/logs/cross-workspace-query) queries, which use the workspaces(), app(), and resource() expressions, and [cross-service queries](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy), which use the `ADX()` and `ARG()` expressions<br>• Plugins that reshape the data schema, including [bag](/kusto/query/bag-unpack-plugin) [unpack](/azure/data-explorer/kusto/query/bag-unpack-plugin), [narrow](/azure/data-explorer/kusto/query/narrow-plugin), and [pivot](/azure/data-explorer/kusto/query/pivot-plugin).<br>• User-defined functions aren't supported | [Limited KQL operators](/azure/azure-monitor/logs/search-jobs#kql-query-considerations)  |
+| **Join support**     | Supported                      | Analytics tier: supported<br>Basic: join up to five Analytics tables using [lookup](/azure/data-explorer/kusto/query/lookup-operator) operator   | Not supported |
+| **Scheduling frequency** | On-demand<br>Daily, weekly, monthly  | 20 minutes to 24 hours                                 | On-demand (long-running searches support up to a 24-hour timeout)  |
+| **Lookback period**  | Up to 12 years                           | Up to 1 day                                         | Up to 12 years                                                            |
+| **Timespan**         |  -                                       |      -                                              | Up to 1 year                                                              |
+| **Timeout**          | 1 hour                                   | 10 minutes                                          | 24 hours                                                            |
+| **Maximum number of results**|	Dependent on query timeout	|500,000 records	|1 million records
+| **Pricing model**    | GB of data analyzed                         | Analytics tier: free<br>Basic and auxiliary tier: Data scan Log Analytics pricing model | GB of data analyzed                |
+
+
+
+## Usage scenarios and feature choice
+
+The following section helps you decide which feature is best for your needs.
+
+If you have any of the following requirements, use KQL jobs:
+
++ You're onboarded to the Microsoft Sentinel data lake.
++ You require lookback greater than 24 hours.
++ You want to query historical data of up to 12 years.
++ You need to run complex queries involving full KQL operators including joins or unions.
++ You need ad-hoc investigation capabilities.
++ Data is in the default workspace.
+
+
+Use summary rules if you have any of the following requirements:
+
++ Your tenant isn't onboarded to Microsoft Sentinel data lake, and your data may still reside in Auxiliary or Basic tiers.
++ You need lookback within 24 hours.
++ You need frequent summarization (for example, every 20 minutes).
++ You want to use out-of-the-box templates.
+
+If you have any of the following requirements, use search jobs:
+
++ Your Microsoft Sentinel workspace isn't connected to Defender portal and your data resides in Analytics or basic tiers.
++ You have data in archive tier. If you're onboarded to Microsoft Sentinel data lake, to access data older than your onboarding date, use search jobs. For data from your onboarding date onward, use KQL jobs.
++ You need to hydrate large volumes of data from a single table. 
++ Your use case involves targeted extraction rather than frequent summarization or complex multi-table joins.
++ You want to analyze up to one year of historical data within a table from any data tier.
+
+## Related articles
+
+- [KQL and the Microsoft Sentinel data lake (preview)](kql-overview.md)
+- [Jupyter notebooks and the Microsoft Sentinel data lake (preview)](notebooks-overview.md)
+- [Aggregate Microsoft Sentinel data with summary rules](../summary-rules.md)
+- [Search for specific events across large datasets in Microsoft Sentinel](../search-jobs.md)  

articles/sentinel/datalake/kql-jobs.md

@@ -17,20 +17,26 @@ ms.collection: ms-security
 
 
 #  Create KQL jobs in the Microsoft Sentinel data lake (preview)
- 
 
-A job is a one-time or repeatedly scheduled task that runs a KQL (Kusto Query Language) query against the data in the data lake tier to promote the results to the analytics tier. Once in the analytics tier, use the advanced hunting KQL editor to query the data. Promoting data to the analytics tier has the following benefits:
+KQL jobs are one-time or scheduled asynchronous KQL queries on data in the Microsoft Sentinel data lake. Jobs are useful for investigative and analytical scenarios for example; 
++ Long-running one-time queries for incident investigations and incident response (IR)
++ Data aggregation tasks that support enrichment workflows using low-fidelity logs
++ Historical threat intelligence (TI) matching scans for retrospective analysis
++ Anomaly detection scans that identify unusual patterns across multiple tables
 
-+ Combine current and historical data in the analytics tier to run advanced analytics and machine learning models on your data.
+KQL jobs are especially effective when queries use joins or unions across different datasets. 
 
+Jobs are also used to promote the data from the data lake tier to the analytics tier. Once in the analytics tier, use the advanced hunting KQL editor to query the data. Promoting data to the analytics tier has the following benefits:
+
++ Combine current and historical data in the analytics tier to run advanced analytics and machine learning models on your data.
 + Reduce query costs by running queries in the analytics tier.
 + Combine data from multiple workspaces to a single workspace in the analytics tier. 
 + Combine Microsoft Entra ID, Microsoft 365, and Microsoft Resource Graph data in the analytics tier to run advanced analytics across data sources.
 
 > [!NOTE] 
 > Storage in the analytics tier incurs higher billing rates than in the data lake tier. To reduce costs, only promote data that you need to analyze further. Use the KQL in your query to project only the columns you need, and filter the data to reduce the amount of data promoted to the analytics tier.  
 
-When promoting data to the analytics tier, make sure that the destination workspace is visible in the advanced hunting query editor. You can only query connected workspaces in the advanced hunting query editor. You will not be able to see data promoted to workspaces that aren't connected or to the default workspace in advance hunting. For more information on connected workspaces, see [Connect a workspace](/defender-xdr/advanced-hunting-microsoft-defender#connect-a-workspace). You can promote data to a new table or append the results to an existing table in the analytics tier. When creating a new table, the table name is suffixed with *_KQL_CL* to indicate that the table was created by a KQL job.  
+When promoting data to the analytics tier, make sure that the destination workspace is visible in the advanced hunting query editor. You can only query connected workspaces in the advanced hunting query editor. You won't be able to see data promoted to workspaces that aren't connected or to the default workspace in advance hunting. For more information on connected workspaces, see [Connect a workspace](/defender-xdr/advanced-hunting-microsoft-defender#connect-a-workspace). You can promote data to a new table or append the results to an existing table in the analytics tier. When creating a new table, the table name is suffixed with *_KQL_CL* to indicate that the table was created by a KQL job.  
 
 ## Prerequisites
 
@@ -151,7 +157,7 @@ The following standard columns aren't supported for export. These columns are ov
 + _IsBillable
 + _WorkspaceId
 
-+ `TimeGenerated` will be overwritten if it's older that 2 days. To preserve the original event time, we recommend writing the source timestamp to a separate column.
++ `TimeGenerated` is overwritten if it's older that 2 days. To preserve the original event time, we recommend writing the source timestamp to a separate column.
 
 For service limits, see [Microsoft Sentinel data lake (preview) service limits](sentinel-lake-service-limits.md#service-parameters-and-limits-for-kql-jobs).
 

articles/sentinel/datalake/sentinel-lake-connectors.md

@@ -10,6 +10,9 @@ ms.date: 07/09/2025
 ms.author: edbaynash  
 
 ms.collection: ms-security  
+
+# Customer intent: As a security admin, I want to set up connectors for Microsoft Sentinel data lake so that I can mirror and retain security data for long-term analysis.
+
 ---  
 
 # Set up connectors for the Microsoft Sentinel data lake (preview)