Query
5 TopicsUsing KQL functions to speed up analysis in Azure Sentinel
Security Operations can often be a very repetitive role. As a security analyst, you will often find yourself conducting the same actions and tasks as you work through an investigation. KQL functions in Azure Sentinel provide a way in which analysts can build up a collection of investigation tools to call upon quickly and simply.36KViews3likes4CommentsAzure Sentinel correlation rules: Active Lists out; make_list() in, the AAD/AWS correlation example
Writing alert rules using KQL is powerful but does not have to be complicated. A good example would be rules that in traditional SIEM use Active Lists. In this blog post, I will describe how to avoid Active Lists entirely using Sentinel query-based rules.37KViews10likes8CommentsAzure Sentinel correlation rules: the join KQL operator
In the SIEM world, rules are often called correlation rules to stress the role of a SIEM to correlate signals from different sources. In this blog post, I will explain how to implement correlation rules in Sentinel using the join KQL operator.39KViews4likes4Comments