Query

5 Topics

Using KQL functions to speed up analysis in Azure Sentinel
Security Operations can often be a very repetitive role. As a security analyst, you will often find yourself conducting the same actions and tasks as you work through an investigation. KQL functions in Azure Sentinel provide a way in which analysts can build up a collection of investigation tools to call upon quickly and simply.
Pete Bryan
Apr 09, 2024 Place Microsoft Sentinel Blog
36KViews
3likes
4Comments
Azure Sentinel correlation rules: Active Lists out; make_list() in, the AAD/AWS correlation example
Writing alert rules using KQL is powerful but does not have to be complicated. A good example would be rules that in traditional SIEM use Active Lists. In this blog post, I will describe how to avoid Active Lists entirely using Sentinel query-based rules.
Ofer_Shezaf
Jun 02, 2021 Place Microsoft Sentinel Blog
37KViews
10likes
8Comments
Implementing Lookups in Azure Sentinel
Learn how to combine external data sources as part of your queries in Sentinel to implement lookups, allow-lists, watchlists and enrichments.
nirgafni
May 31, 2021 Place Microsoft Sentinel Blog
68KViews
15likes
20Comments
Azure Sentinel correlation rules: the join KQL operator
In the SIEM world, rules are often called correlation rules to stress the role of a SIEM to correlate signals from different sources. In this blog post, I will explain how to implement correlation rules in Sentinel using the join KQL operator.
Ofer_Shezaf
Dec 29, 2020 Place Microsoft Sentinel Blog
39KViews
4likes
4Comments
Tip: Easily use JSON fields in Sentinel
Learn how to easily extract values embedded in JSON constructs in Sentinel as primary fields for easy viewing, filtering and further processing.
Ofer_Shezaf
Apr 05, 2020 Place Microsoft Sentinel Blog
26KViews
6likes
2Comments