Forum Discussion
Help to write KQL for some of the use case
Hi Team,
Please help me to write a KQL for below scenario. Log sources are (Palo alto, checkpoint, F5, Citrix, Akamai, Vectra, oracle, Linux)
Use case - Source sending more events than usual
Description - This correlation search identifies source hosts sending more data than usual. The search runs against data from the last 7 days, and compare only the same hour of the last 7 days (this helps avoiding alerts in the beginning of business hours). The threshold is the sum of average events plus the standard deviation of the source times 3.
Usecase - Unexpected Host Reporting events
Description - Discovers hosts that are reporting events but are not on the expected reporting host on Sentinel. This rule is used to monitor hosts not
expected.
Usecase - New User Account Created on multiple Hosts
Description - Alerts when numerous new accounts are created for a username account on multiple hosts.
Note : All above usecase are deployed in Splunk and need to migrate into sentinel.
Noted that all of the queries are deployed in splunk and need to migrate to Sentinel, your best bet would be to utilize the SIEM migration tool specifically use case migrator:
