|
| 1 | +--- |
| 2 | +title: Run KQL queries on Microsoft Sentinel data lake using APIs |
| 3 | +titleSuffix: Microsoft Security |
| 4 | +description: Learn how to run KQL queries against the Microsoft Sentinel data lake programmatically using REST APIs. Enable automation, intelligent agents, and scalable analytics. |
| 5 | +author: EdB-MSFT |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.subservice: sentinel-platform |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 03/26/2026 |
| 10 | +ms.author: edbaynash |
| 11 | +ms.collection: ms-security |
| 12 | +--- |
| 13 | + |
| 14 | +# Run KQL queries on the Microsoft Sentinel data lake using APIs |
| 15 | + |
| 16 | +Microsoft Sentinel data lake supports running Kusto Query Language (KQL) queries programmatically by using REST APIs. This enables security teams and automation systems to retrieve analytical results without using the Azure portal or interactive query editors. |
| 17 | +This article explains when to use the API, required permissions, and how to submit a basic query request. |
| 18 | + |
| 19 | +## When to use the KQL query API |
| 20 | + |
| 21 | +The KQL query API is designed for system-to-system access scenarios, including: |
| 22 | +- Automation and orchestration workflows |
| 23 | +- Background services and scheduled jobs |
| 24 | +- Agent and security tools that require query results as input |
| 25 | +- Integration with external systems or agents |
| 26 | + |
| 27 | +For interactive investigation and ad-hoc analysis, run KQL queries from the Defender portal instead. |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | +## Authentication and permissions |
| 32 | + |
| 33 | +You can authenticate to the Sentinel data lake API by using either: |
| 34 | +- A service principal |
| 35 | +- A user access token |
| 36 | + |
| 37 | +> [!NOTE] |
| 38 | +> Using a service principal currently Entra ID roles and Microsoft Defender XDR unified RBAC roles aren't supported for querying the Sentinel data lake through this API. |
| 39 | +
|
| 40 | +## Calling the API |
| 41 | + |
| 42 | +**API endpoint** |
| 43 | + |
| 44 | +All KQL queries are submitted by using the following REST endpoint: |
| 45 | + |
| 46 | +`POST https://api.securityplatform.microsoft.com/lake/kql/v2/rest/query` |
| 47 | + |
| 48 | +**Request body format** |
| 49 | + |
| 50 | +A query request consists of: |
| 51 | + |
| 52 | +- The KQL query |
| 53 | +- The target workspace, specified as workspaceName-workspaceId |
| 54 | + |
| 55 | +**Payload parameters** |
| 56 | + |
| 57 | +|Field|Description| |
| 58 | +|-----|-----------| |
| 59 | +|csl|The KQL query to execute| |
| 60 | +|db|The Sentinel workspace name and workspace ID| |
| 61 | + |
| 62 | +Sample payload: |
| 63 | + |
| 64 | +```json |
| 65 | +{ |
| 66 | +"csl": "SigninLogs | take 10", |
| 67 | +"db": "workspace1-12345678-abcd-abcd-1234-1234567890ab" |
| 68 | +} |
| 69 | +``` |
| 70 | + |
| 71 | +**Submitting the request** |
| 72 | + |
| 73 | +The request must include an OAuth 2.0 bearer token in the Authorization header. |
| 74 | + |
| 75 | +```http |
| 76 | +Authorization: Bearer <access_token> |
| 77 | +Content-Type: application/json |
| 78 | +``` |
| 79 | + |
| 80 | +The API returns query results in a structured JSON format that can be processed by automation workflows or applications. |
| 81 | + |
| 82 | +### Optional query settings |
| 83 | + |
| 84 | +You can include additional execution options in the request payload, such as: |
| 85 | + |
| 86 | +- Server timeout |
| 87 | +- Query consistency |
| 88 | +- Read-only enforcement |
| 89 | + |
| 90 | +These options are useful when running queries in automated or high-scale environments. |
| 91 | + |
| 92 | +sample payload: |
| 93 | +```json |
| 94 | +{ |
| 95 | + "csl": "SigninLogs | take 10", |
| 96 | + "db": "workspace1-12345678-abcd-abcd-1234-1234567890ab", |
| 97 | + "properties": { |
| 98 | + "Options": { |
| 99 | + "servertimeout": "00:04:00", |
| 100 | + "queryconsistency": "strongconsistency", |
| 101 | + "query_language": "kql", |
| 102 | + "request_readonly": False, |
| 103 | + "request_readonly_hardline": False |
| 104 | + } |
| 105 | + } |
| 106 | +``` |
| 107 | + |
| 108 | +## Service limits and considerations |
| 109 | + |
| 110 | +Query execution is subject to time and result size limits. For current limits, see: [Microsoft Sentinel data lake service limits](sentinel-lake-service-limits.md) |
| 111 | + |
| 112 | + |
| 113 | +## Related content |
| 114 | + |
| 115 | +- [Run KQL queries on the Microsoft Sentinel data lake](kql-queries.md) |
| 116 | +- [Microsoft Sentinel data lake overview](sentinel-lake-overview.md) |
| 117 | +- [Onboarding to Microsoft Sentinel data lake](sentinel-lake-onboarding.md) |
| 118 | +- [Microsoft Sentinel data lake service limits](sentinel-lake-service-limits.md) |
| 119 | +- [Create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal) |
| 120 | +- [Microsoft Authentication Library (MSAL) overview](/entra/identity-platform/msal-overview) |
| 121 | +- [Acquire and cache tokens with Microsoft Authentication Library](/entra/identity-platform/msal-acquire-cache-tokens) |
0 commit comments