Getting started with Yandex SIEM
Written by
Updated at April 27, 2026
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
In this tutorial, you will create an investigation and run your first KQL (Kusto Query Language) query.
Getting started
The Yandex SIEM section will appear in the Cloud Center interface as a Security Deck module after the access request is approved.
You need the ycem.editor role to use the service.
Create an investigation
- Go to Security Deck.
- In the left-hand panel, select Yandex SIEM.
- Navigate to the Investigations tab.
- Click New investigation.
- Enter a name for your investigation, e.g.,
Failed login analysis. - Under Description, add a description:
Searching for failed console login attempts within the last 30 minutes.
Create a query
-
In the query editor, enter the following KQL query:
Events | project event_class, ['time'] | limit 1This query:
- Selects events from the
Eventstable. - Displays the
event_classandtimefields. - Limits the result to a single entry.
- Selects events from the
-
Set the time period to Last 30 minutes.
-
Click the query run button.
Analyze the results
After the query is completed, the results are displayed in a table with the following fields:
event_class: Event class.time: Event time.
This is an example of a simple query which checks service performance. For more complex analysis, use additional queries and filters.
What's next
- Learn more about investigations and queries.
- Learn how to manage investigations.
- Explore working with queries.
- Review the KQL reference.