KQL Search

This query is searching through a dataset called "Anomalies" to find records where the "RuleName" ends with "Anomalous Role Assignment" and the "RuleStatus" is not "Flighting." For each of these records, it extracts additional information from the first item in the "ExtendedLinks" array, specifically the "DetailBladeInputs" field, and labels it as "Query." Finally, it selects and displays a set of fields from these records, including:

• TimeGenerated: When the anomaly was recorded.
• RuleName: The name of the rule that detected the anomaly.
• Description: A description of the anomaly.
• Query: The extracted detail from "ExtendedLinks."
• UserPrincipalName: The name of the user involved.
• ActivityInsights, DeviceInsights, UserInsights: Additional insights related to the activity, device, and user.
• StartTime, EndTime: The time range during which the anomaly occurred.
• Score: A score indicating the severity or importance of the anomaly.
• AnomalyDetails: Specific details about the anomaly.
• Entities: The entities involved in the anomaly.
• Tactics, Techniques: The tactics and techniques associated with the anomaly.
• ExtendedLinks: Any additional links or references related to the anomaly.

In simple terms, this query is filtering and displaying detailed information about specific role assignment anomalies that are not in a "Flighting" status.