Blog Post

Microsoft Sentinel Blog
5 MIN READ

Azure Sentinel correlation rules: the join KQL operator

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Dec 04, 2019
In the SIEM world, rules are often called correlation rules. While this is not always the case, and therefore I prefer the term detection rules, it conveys the importance of correlation for SIEM. Wha...
Updated Dec 29, 2020
Version 8.0
detection
Query
GaryBushey's avatar
GaryBushey
Bronze Contributor
Dec 05, 2019

I think in the line "By setting the If the join and additional conditions return results, an alert is triggered. ", the first 3 words should not be there.  This is in the 3rd paragraph under the Correlating using Joins header