Home

Machine Learning powered detections with Kusto query language in Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-467284%22%20slang%3D%22en-US%22%3EMachine%20Learning%20powered%20detections%20with%20Kusto%20query%20language%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-467284%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20cyberattacks%20become%20more%20complex%20and%20harder%20to%20detect.%20The%20traditional%20correlation%20rules%20of%20a%20SIEM%20are%20not%20enough%2C%20they%20are%20lacking%20the%20full%20context%20of%20the%20attack%20and%20can%20only%20detect%20attacks%20that%20were%20seen%20before.%20This%20can%20result%20in%20false%20negatives%20and%20gaps%20in%20the%20environment.%20In%20addition%2C%20correlation%20rules%20require%20significant%20maintenance%20and%20customization%20since%20they%20may%20provide%20different%20results%20based%20on%20the%20customer%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdvanced%20Machine%20Learning%20capabilities%20that%20are%20built%20in%20into%20Azure%20Sentinel%20can%20detect%20indicative%20behaviors%20of%20a%20threat%20and%20helps%20security%20analysts%20to%20learn%20the%20expected%20behavior%20in%20their%20enterprise.%20In%20addition%2C%20Azure%20Sentinel%20provides%20out-of-the-box%20detection%20queries%20that%20leverage%20the%20Machine%20Learning%20capabilities%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Monitor%20Logs%20query%20language%3C%2FA%3E%20that%20can%20detect%20suspicious%20behaviors%20in%20such%20as%20abnormal%20traffic%20in%20firewall%20data%2C%20suspicious%20authentication%20patterns%2C%20and%20resource%20creation%20anomalies.%20The%20queries%20can%20be%20found%20in%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Sentinel%20GitHub%20community%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20381px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F109347iD4E0D7AE2725A0EA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%2207765e85-07ed-4dc7-b521-fc1bfb2fea88.png%22%20title%3D%2207765e85-07ed-4dc7-b521-fc1bfb2fea88.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERead%20more%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fml-powered-detections-with-kusto-query-language-in-azure-sentinel%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20blog%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Community Manager

As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.

 

Advanced Machine Learning capabilities that are built in into Azure Sentinel can detect indicative behaviors of a threat and helps security analysts to learn the expected behavior in their enterprise. In addition, Azure Sentinel provides out-of-the-box detection queries that leverage the Machine Learning capabilities of Azure Monitor Logs query language that can detect suspicious behaviors in such as abnormal traffic in firewall data, suspicious authentication patterns, and resource creation anomalies. The queries can be found in the Azure Sentinel GitHub community.

 

07765e85-07ed-4dc7-b521-fc1bfb2fea88.png

 

Read more about it in the Azure blog.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies