Log Analytics vs. AML Jupyter Notebooks for log anomaly detection

NigelSt666 If you are already going to ingest the data into Microsoft Sentinel, using a scheduled rule that runs KQL would be the best overall solution.  Some of the reasons include A) KQL is designed to query the data in Microsoft Sentinel very quickly.  If you are familiar with SQL, learning KQL will not be hard at all B) it is easy to schedule the query to run (although the maximum amount of time is every 14 days).  C) You can create a playbook to execute a workflow when the incident is created to perform specific tasks.

While you can do all of this in a Microsoft Sentinel notebook, keep in mind that there is some additional cost since it is using a VM to perform the actions.   It is also a bit harder, currently, to execute Notebooks on a schedule.   I would recommend Notebooks if the data is not going to be stored in Microsoft Sentinel (which is something to consider.  If you do not need to ingest the data, why do it?) as a Notebook can easily access data outside of Microsoft Sentinel.