Skip to content

Latest commit

 

History

History

Functions

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
ReadmeImages
ReadmeImages
 
 
Function-ADGroupChanges.kql
Function-ADGroupChanges.kql
 
 
Function-AzureKeyVaultAccess.kql
Function-AzureKeyVaultAccess.kql
 
 
Function-CiscoASAParser.kql
Function-CiscoASAParser.kql
 
 
Function-DeviceLookup.kql
Function-DeviceLookup.kql
 
 
Function-FailedActiveDirectoryLogons.kql
Function-FailedActiveDirectoryLogons.kql
 
 
Function-GroupChanges.kql
Function-GroupChanges.kql
 
 
Function-GuestDomainInfo.kql
Function-GuestDomainInfo.kql
 
 
Function-IdentityInfowithSigninRisk.kql
Function-IdentityInfowithSigninRisk.kql
 
 
Function-NewDetections.kql
Function-NewDetections.kql
 
 
Function-PrivilegeChanges.kql
Function-PrivilegeChanges.kql
 
 
Function-RetrieveAllDCs.kql
Function-RetrieveAllDCs.kql
 
 
Function-TeamsAccess.kql
Function-TeamsAccess.kql
 
 
Function-UserInvestigation.kql
Function-UserInvestigation.kql
 
 
Function-UserLogins.kql
Function-UserLogins.kql
 
 
Function-UserLookup.kql
Function-UserLookup.kql
 
 
README.md
README.md
 
 

README.md

Microsoft Sentinel Functions

Microsoft Sentinel allows you to save pre-defined queries as a function then call them from a single line to save time with your hunting. This is especially useful if you often join multiple tables together.

Once you write your query, you select Save - Save as function

Save as function

Then name your function, this will be the same name you then query Microsoft Sentinel with.

Select name for function

Then you can run your saved function using a single line query.

Run function

You can then query within the function as you would a normal query.

Run function query

Some functions require a parameter specified, such as the UserInvestigation function. These functions take an input and pass them through to the function. This one requires a string called user, and you can leave default value.

Function parameter