Query Details
Sentinel Anomalies
Query
# Hunt for anomalies in Sentinel ## Query Information #### Description The anomalies table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel. Those anomalies do not trigger a incident by default (at the moment of writing). This query lists the anomalies and the reaons why they are anomalies. #### References - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/anomalies ## Sentinel ``` let TimeFrame = 7d; Anomalies | where TimeGenerated > ago(TimeFrame) | project-rename ['Anomaly Reason'] = Description | project-reorder TimeGenerated, ['Anomaly Reason'], Entities, RuleName, Tactics ```
Explanation
This query searches for anomalies in Azure Sentinel. It retrieves anomalies from the anomalies table that are generated by active Anomaly analytics rules. The query lists the anomalies along with the reasons why they are considered anomalies. It filters the anomalies based on a specified time frame (7 days) and reorders the columns to display TimeGenerated, Anomaly Reason, Entities, RuleName, and Tactics.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
Anomalies
Keywords
Anomalies,TimeGenerated,AnomalyReason,Entities,RuleName,Tactics
Operators
letwhereagoproject-renameproject-reorder