A collection of KQL queries I've put together while working within Sentinel.
Name | Description |
---|---|
PIMRoleActivationsViaScript.kql | Find users who have activated their PIM roles via script. This detects 5 or more PIM role activations within a 5 minute sliding window. |
InteractiveServiceAccounts.kql | Find service accounts that are logging in interactively. This may need to be adjusted to fit your environment (OU location or service account naming scheme). |
GetSizeOfTableFilteredByColumns.kql | Take a table and filter it. Then determine the size of all items scoped by that filter in MB. Useful for cost adjustment. |
GetAnomalousDataIngestion.kql | Look back 60 days and build a baseline for data ingestion volume, then show anomalies using series_decompose_anomalies |