kqlHunting

Hunt for anomalies in Sentinel

The anomalies table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel. Those anomalies do not trigger a incident by default (at the moment of writing). This query lists the anomalies and the reaons why they are anomalies.

Detection Query

let TimeFrame = 7d;
Anomalies
| where TimeGenerated > ago(TimeFrame)
| extend DetailedResultsKQL = ExtendedLinks[0].DetailBladeInputs
| project-reorder TimeGenerated, Description, UserPrincipalName, RuleName, Tactics, DetailedResultsKQL, Entities

Platforms

azure-sentinel

References

https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/anomalies

Tags

sentinelanomaly

Raw Content

# Hunt for anomalies in Sentinel

## Query Information

#### Description
The anomalies table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel. Those anomalies do not trigger a incident by default (at the moment of writing). This query lists the anomalies and the reaons why they are anomalies.

#### References
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/anomalies

## Sentinel
```KQL
let TimeFrame = 7d;
Anomalies
| where TimeGenerated > ago(TimeFrame)
| extend DetailedResultsKQL = ExtendedLinks[0].DetailBladeInputs
| project-reorder TimeGenerated, Description, UserPrincipalName, RuleName, Tactics, DetailedResultsKQL, Entities
```