The Definitive Guide to KQL: LAdemo

Question

Trying to follow sample data and queries on Log Analytics Demo at aka.ms//LAdemo from the book "The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting". Running into problem with queries for Signinlogs where there are no Signinlogs like in the examples. Tried changing Time range to 7 days and more, same result. Example query is:

SigninLogs

| take 5

Also noticed some data missing when running query:

search "deviceinfo"

| distinct $table

Only get AVSSyslog

Answer 1

Ensure that your environment is indeed generating SigninLogs. These logs come from Microsoft Entra ID and require the sign-in logs to be sent to your Log Analytics workspace. For details, refer to https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins

If the query you're running:

search "deviceinfo"
| distinct $table

returns only AVSSyslog, this suggests that the deviceinfo data might be limited or located in specific tables that aren't currently active in your environment.

Device-related information (like device metadata) can come from different sources, including Windows Event Logs, Syslog, or Microsoft Defender for Cloud data. In your case, it looks like AVSSyslog is the only table showing up with references to deviceinfo.

Try running the following query to see all the tables in your workspace:

  .show tables

This will give you an overview of what tables are actually available. If you don't see other tables that should contain device information (e.g., DeviceInfo, Heartbeat, etc.), check if your data sources are configured correctly and whether the relevant logs are being sent to the workspace.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin