Hunt for anomalies in Sentinel
Sentinel Anomalies
Query
let TimeFrame = 7d;
Anomalies
| where TimeGenerated > ago(TimeFrame)
| extend DetailedResultsKQL = ExtendedLinks[0].DetailBladeInputs
| project-reorder TimeGenerated, Description, UserPrincipalName, RuleName, Tactics, DetailedResultsKQL, EntitiesAbout this query
Hunt for anomalies in Sentinel
Query Information
Description
The anomalies table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel. Those anomalies do not trigger a incident by default (at the moment of writing). This query lists the anomalies and the reaons why they are anomalies.
References
Sentinel
Explanation
This query is designed to identify and list anomalies detected by Azure Sentinel's active Anomaly analytics rules over the past seven days. Here's a simple breakdown of what the query does:
-
Time Frame: It looks at anomalies generated within the last 7 days.
-
Data Source: It uses the
Anomaliestable, which contains data on anomalies identified by Sentinel. -
Filtering: It filters the anomalies to only include those that were generated in the specified time frame.
-
Data Extraction: It extracts detailed information about each anomaly, specifically from the first item in the
ExtendedLinksarray, and labels it asDetailedResultsKQL. -
Data Organization: It organizes the output to show the following columns in order:
TimeGenerated: When the anomaly was detected.Description: A description of the anomaly.UserPrincipalName: The user associated with the anomaly.RuleName: The name of the rule that identified the anomaly.Tactics: The tactics associated with the anomaly.DetailedResultsKQL: Detailed results related to the anomaly.Entities: Any entities involved in the anomaly.
This query helps security analysts review and understand anomalies detected by Sentinel, providing insights into why they were flagged without automatically triggering incidents.
Details

Bert-Jan Pals
Released: December 4, 2024
Tables
Keywords
Operators