Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
A job is a one-time or scheduled task that runs a KQL (Kusto Query Language) query against the data in the data lake tier to promote the results to the analytics tier. Jobs can be created in the KQL queries editor, or the Jobs page under Microsoft Sentinel > Data lake exploration in the Microsoft Defender portal for. For more information, see KQL jobs.
Jobs are managed in the Jobs page under Data lake exploration in the Defender portal for Microsoft Sentinel. The Jobs management page provides the following functions:
- View all jobs in the Microsoft Sentinel data lake. You can view jobs created in the KQL queries editor or jobs created for notebooks.
- Create a new job to run a KQL query. For more information on creating jobs, see Create jobs in the Microsoft Sentinel data lake using KQL.
- Edit job details. You can view but can't edit a notebook job from the jobs page. For more information on editing notebook jobs, see Notebook notebooks.
- Disable a job, preventing it from running until you enable it again.
- Enable a job, allowing it to run again after being disabled.
- View job history, including the run times, and statuses of the job.
- Delete a job, removing it from the list of jobs. This action is permanent and can't be undone.
Permissions
Microsoft Entra ID roles provide broad access across all workspaces in the data lake. To read tables across all workspaces, write to the analytics tier, and schedule jobs using KQL queries, you must have one of the supported Microsoft Entra ID roles. For more information on roles and permissions, see Microsoft Sentinel data lake roles and permissions.
Manage jobs
The jobs page is found in the left navigation pane in the Defender portal under Data lake exploration in the Microsoft Sentinel menu.
The Jobs page shows a list of all your jobs, including the job name, status, and job type. The Jobs status column indicates whether the job enabled or disabled. The Job type column indicates whether the job is a KQL query job or a notebook job.
To create a job, select Create new job. For more information on creating jobs, see Create jobs in the Microsoft Sentinel data lake using KQL.
Job details
To see a job's details, select the job from the table.
Select the Destination table link to open the table in the KQL query editor in Advanced hunting.
The query can be copied by selecting Copy query.
Edit a job
To edit a job, select Edit in the job details panel. The job details panel opens, allowing you to edit the following fields:
- Job description.
- KQL query. The query can be updated but must return the same output schema as the original query. For example, you can change the time range in the query, but you can't change the columns returned by the query.
- Job schedule. You can change the job to run once or on a schedule, or change the schedule.
Select Next to continue to the next screen.
After you edit the job, select Submit to save the changes. The job is updated and runs according to the new schedule or query.
Note
Editing a one-time job immediately triggers its execution.
View a job's run history
To view the history of a job, select View history in the job details panel. The job history panel opens, showing a list of job run times and statuses.
Enable or disable a job
To enable or disable a job, select Enable or Disable in the job details panel. When a job is disabled, it won't run until you enable it again. The status of the job changes to reflect whether it's enabled or disabled.
Delete a job
To delete a job, select Delete in the job details panel. A confirmation dialog appears, asking you to confirm the deletion. If you confirm, the job is permanently deleted and can't be recovered. You can't delete a running job.
Considerations and limitations
For information on considerations and limitations when managing KQL jobs in the Microsoft Sentinel data lake, see KQL jobs.