{"id":1423,"date":"2019-04-16T00:00:00","date_gmt":"2019-04-16T07:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel"},"modified":"2025-06-20T06:36:17","modified_gmt":"2025-06-20T13:36:17","slug":"ml-powered-detections-with-kusto-query-language-in-azure-sentinel","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/","title":{"rendered":"Machine Learning powered detections with Kusto query language in Azure Sentinel"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>This post is co-authored by Tim Burrell, Principal Security Engineering Manager and Dotan Patrich, Principal Software Engineer.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Advanced Machine Learning capabilities that are built in into Azure Sentinel can detect indicative behaviors of a threat and helps security analysts to learn the expected behavior in their enterprise. In addition, Azure Sentinel provides out-of-the-box detection queries that leverage the Machine Learning capabilities of <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/kusto\/query\/\">Kusto query language<\/a> that can detect suspicious behaviors in such as abnormal traffic in firewall data, suspicious authentication patterns, and resource creation anomalies. The queries can be found in the <a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\">Azure Sentinel GitHub community<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Below you can find three examples for detections leveraging built in Machine Learning capabilities to protect your environment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"time-series-analysis-of-authentication-of-user-accounts-from-unusual-large-number-of-locations\">Time series analysis of authentication of user accounts from unusual large number of locations<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A typical organization may have many users and many applications using Azure Active Directory for authentication. Some applications (for example Office365 Exchange Online) may have many more authentications than others (say Visual Studio) and thus dminate the data. Users may also have a different location profile depending on the application. For example high location variability for email access may be expected, but less so for development activity associated with Visual Studio authentications. The ability to track location variability for every user\/application combination and then investigate just some of the most unusual cases can be achieved by leveraging the built in query capabilities using the operators <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/kusto\/query\/make-seriesoperator\">make-series<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/kusto\/query\/series-fit-linefunction\">series_fit_line<\/a>.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\nSigninLogs\n| where TimeGenerated >= ago(30d)\n| extend  locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"\/\", tostring(LocationDetails[\"state\"]), \"\/\", tostring(LocationDetails[\"city\"]), \";\")\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(30d)),now(), 1d)\nby UserPrincipalName, AppDisplayName\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope >0.3\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp\" alt=\"image\" style=\"border-radius:0px\" title=\"image\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"creation-of-an-anomalous-number-of-resources\">Creation of an anomalous number of resources<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Resource creation in Azure is a normal operation in the environment. Operations and IT teams frequently spin up environments and resources based on the organizational needs and requirements. However, an anomalous creation of resource by users that don\u2019t have permissions or aren\u2019t supposed to create these resources is extremely interesting. Tracking anomalous resources creation or suspicious deployment activities in azure activity log can provide a lead to spot an execution technique done by an attacker.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\nAzureActivity\n| where TimeGenerated >= ago(30d)\n| where OperationName == \"Create or Update Virtual Machine\" or OperationName == \"Create Deployment\"\n| where ActivityStatus == \"Succeeded\"\n| make-series num = dcount(ResourceId)  default=0 on EventSubmissionTimestamp in range(ago(30d), now(), 1d) by Caller\n| extend  outliers=series_outliers(num, \"ctukey\", 0, 10, 90)\n| project-away num\n| mvexpand outliers\n| where outliers > 0.9\n| summarize by Caller\n<\/pre><\/div>\n\n\n<h4 class=\"wp-block-heading\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/1f05714c-01e8-4d65-b097-741cbbd17b2c.webp\" alt=\"image\" width=\"516\" height=\"320\"><\/h4>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"firewall-traffic-anomalies\">Firewall traffic anomalies<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Firewall traffic can be an additional indicator of a potential attack in the organization. The ability to establish a baseline that represents the usual firewall traffic behavior on a weekly or an hourly basis can help point out the anomalous increase in traffic. Using the built-in capabilities in the Log Analytics query language can point directly to the traffic anomaly and be investigated.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title=\"\">\nCommonSecurityLog\n| summarize count() by bin(TimeGenerated, 1h)\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image has-custom-border\"><img decoding=\"async\" src=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/dcd0e37f-5aab-49b1-9b1f-e753b08a9180.webp\" alt=\"image\" style=\"border-radius:0px\" title=\"image\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">With <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\">Azure Sentinel<\/a>, you can <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/tutorial-detect-threats\">create the above advanced detection rules<\/a> to detect anomalies and suspicious activities in your environment, create your own detection rules or leverage the rich <a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/tree\/master\/Detections\">GitHub library<\/a> that contains detections written by Microsoft security researchers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","footnotes":"","msx_community_cta_settings":[]},"categories":[1466,1459],"tags":[],"audience":[3053,3056],"content-type":[1511],"product":[1561],"tech-community":[],"topic":[],"coauthors":[97],"class_list":["post-1423","post","type-post","status-publish","format-standard","hentry","category-hybrid-multicloud","category-security","audience-it-decision-makers","audience-it-implementors","content-type-best-practices","product-microsoft-sentinel","review-flag-1680286581-295","review-flag-1680286581-56","review-flag-3-1680286581-173","review-flag-9-1680286581-259","review-flag-lever-1680286579-649","review-flag-machi-1680286585-314"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Machine Learning powered detections with Kusto query language in Azure Sentinel | Microsoft Azure Blog<\/title>\n<meta name=\"description\" content=\"As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Machine Learning powered detections with Kusto query language in Azure Sentinel | Microsoft Azure Blog\" \/>\n<meta property=\"og:description\" content=\"As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Azure Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/microsoftazure\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-16T07:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-20T13:36:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp\" \/>\n<meta name=\"author\" content=\"Microsoft Azure\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@azure\" \/>\n<meta name=\"twitter:site\" content=\"@azure\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Azure\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\"},\"author\":[{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Azure\"}],\"headline\":\"Machine Learning powered detections with Kusto query language in Azure Sentinel\",\"datePublished\":\"2019-04-16T07:00:00+00:00\",\"dateModified\":\"2025-06-20T13:36:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\"},\"wordCount\":507,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp\",\"articleSection\":[\"Hybrid + multicloud\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\",\"name\":\"Machine Learning powered detections with Kusto query language in Azure Sentinel | Microsoft Azure Blog\",\"isPartOf\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp\",\"datePublished\":\"2019-04-16T07:00:00+00:00\",\"dateModified\":\"2025-06-20T13:36:17+00:00\",\"description\":\"As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.\",\"breadcrumb\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog home\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hybrid + multicloud\",\"item\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/hybrid-multicloud\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Machine Learning powered detections with Kusto query language in Azure Sentinel\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#website\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"name\":\"Microsoft Azure Blog\",\"description\":\"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.\",\"publisher\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization\",\"name\":\"Microsoft Azure Blog\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"contentUrl\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Azure Blog\"},\"image\":{\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/microsoftazure\",\"https:\/\/x.com\/azure\",\"https:\/\/www.instagram.com\/microsoftdeveloper\/\",\"https:\/\/www.linkedin.com\/company\/16188386\",\"https:\/\/www.youtube.com\/user\/windowsazure\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117\",\"name\":\"shakir\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g\",\"caption\":\"shakir\"},\"sameAs\":[\"https:\/\/azure.microsoft.com\"],\"url\":\"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Machine Learning powered detections with Kusto query language in Azure Sentinel | Microsoft Azure Blog","description":"As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/","og_locale":"en_US","og_type":"article","og_title":"Machine Learning powered detections with Kusto query language in Azure Sentinel | Microsoft Azure Blog","og_description":"As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.","og_url":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/","og_site_name":"Microsoft Azure Blog","article_publisher":"https:\/\/www.facebook.com\/microsoftazure","article_published_time":"2019-04-16T07:00:00+00:00","article_modified_time":"2025-06-20T13:36:17+00:00","og_image":[{"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp","type":"","width":"","height":""}],"author":"Microsoft Azure","twitter_card":"summary_large_image","twitter_creator":"@azure","twitter_site":"@azure","twitter_misc":{"Written by":"Microsoft Azure","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#article","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/"},"author":[{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/microsoft-azure\/","@type":"Person","@name":"Microsoft Azure"}],"headline":"Machine Learning powered detections with Kusto query language in Azure Sentinel","datePublished":"2019-04-16T07:00:00+00:00","dateModified":"2025-06-20T13:36:17+00:00","mainEntityOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/"},"wordCount":507,"commentCount":0,"publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp","articleSection":["Hybrid + multicloud","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/","name":"Machine Learning powered detections with Kusto query language in Azure Sentinel | Microsoft Azure Blog","isPartOf":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage"},"thumbnailUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp","datePublished":"2019-04-16T07:00:00+00:00","dateModified":"2025-06-20T13:36:17+00:00","description":"As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.","breadcrumb":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#primaryimage","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2019\/04\/07765e85-07ed-4dc7-b521-fc1bfb2fea88.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/ml-powered-detections-with-kusto-query-language-in-azure-sentinel\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog home","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/"},{"@type":"ListItem","position":2,"name":"Hybrid + multicloud","item":"https:\/\/azure.microsoft.com\/en-us\/blog\/category\/hybrid-multicloud\/"},{"@type":"ListItem","position":3,"name":"Machine Learning powered detections with Kusto query language in Azure Sentinel"}]},{"@type":"WebSite","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#website","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","name":"Microsoft Azure Blog","description":"Get the latest Azure news, updates, and announcements from the Azure blog. From product updates to hot topics, hear from the Azure experts.","publisher":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/azure.microsoft.com\/en-us\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#organization","name":"Microsoft Azure Blog","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","contentUrl":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-content\/uploads\/2024\/06\/microsoft_logo.webp","width":512,"height":512,"caption":"Microsoft Azure Blog"},"image":{"@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/microsoftazure","https:\/\/x.com\/azure","https:\/\/www.instagram.com\/microsoftdeveloper\/","https:\/\/www.linkedin.com\/company\/16188386","https:\/\/www.youtube.com\/user\/windowsazure"]},{"@type":"Person","@id":"https:\/\/azure.microsoft.com\/en-us\/blog\/#\/schema\/person\/c702e5edd662b328b49b7e1180cab117","name":"shakir","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g7664e653ea371ce16eaf75e9fa8952c4","url":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9342c7c05bb16548741bc5cd3a3e3b7ee0c8e746844ad2cc582db5beb5514c6f?s=96&d=mm&r=g","caption":"shakir"},"sameAs":["https:\/\/azure.microsoft.com"],"url":"https:\/\/azure.microsoft.com\/en-us\/blog\/author\/shakir\/"}]}},"msxcm_display_generated_audio":false,"msxcm_animated_featured_image":null,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Azure Blog","distributor_original_site_url":"https:\/\/azure.microsoft.com\/en-us\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/comments?post=1423"}],"version-history":[{"count":1,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1423\/revisions"}],"predecessor-version":[{"id":42675,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/posts\/1423\/revisions\/42675"}],"wp:attachment":[{"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/media?parent=1423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/categories?post=1423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tags?post=1423"},{"taxonomy":"audience","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/audience?post=1423"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/content-type?post=1423"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/product?post=1423"},{"taxonomy":"tech-community","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/tech-community?post=1423"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/topic?post=1423"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/azure.microsoft.com\/en-us\/blog\/wp-json\/wp\/v2\/coauthors?post=1423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}