Descriptor: Name: Network (CEF) anomaly detection activity DisplayName: "Sentinel KQL: Network (CEF) anomaly detection activity" Description: Skills that looking up network CEF CommonSecurityLog Sentinel data anomaly activity - events. Settings: - Name: TenantId Label: TenantId Description: Azure tenant ID where Sentinel exists. HintText: Azure tenant ID where Sentinel exists. SettingType: String Required: true - Name: SubscriptionId Label: SubscriptionId Description: Azure subscription ID where Sentinel exists. HintText: Azure subscription ID where Sentinel exists. SettingType: String Required: true - Name: WorkspaceName Label: WorkspaceName Description: Log Analytics workspace name for Sentinel. HintText: Log Analytics workspace name for Sentinel. SettingType: String Required: true - Name: ResourceGroupName Label: ResourceGroupName Description: Resource group where Sentinel workspace exists. HintText: Resource group where Sentinel workspace exists. SettingType: String Required: true SkillGroups: - Format: KQL Skills: - Name: Detectnetworkcefanomalyeactivity DisplayName: Detect Network (CEF) anomaly detection activity Description: Fetches all Network (CEF) anomaly detection activity in Microsoft Sentinel CommonSecurityLog, how it works is first to find and list all of the anomalies in a time series, The series_decompose_anomalies() function takes a series of values as input and extracts anomalies then looking at the query results, you can see that the function (Calculates an expected daily usage for each table, Compares actual daily usage to expected usage, Assigns an anomaly score to each data point, indicating the extent of the deviation of actual usage from expected usage, Identifies positive (1) and negative (-1) anomalies in each table) ExamplePrompt: - 'Analyze network CEF data in Sentinel if there is anomaly' - 'Anomaly data detection if any in Palo Alto logs' - 'Scan my network and firewall data if there is any data anomaly activity' Inputs: - Name: StartTime Description: Set starTime Number of Days for the localback Network (CEF) anomaly detection activity in Microsoft Sentinel Required: true DefaultValue: 21d - Name: EndTime Description: Set endTime Number of Days for the localback Network (CEF) anomaly detection activity in Microsoft Sentinel Required: true DefaultValue: 0d Settings: Target: Sentinel TenantId: "{{TenantId}}" SubscriptionId: "{{SubscriptionId}}" ResourceGroupName: "{{ResourceGroupName}}" WorkspaceName: "{{WorkspaceName}}" Template: |- let starttime=datetime('{{StartTime}}'); let endtime = datetime('{{EndTime}}'); let timeframe = 1d; CommonSecurityLog | where TimeGenerated between (startofday(ago(21d))..startofday(ago(0d))) | make-series ActualUsage=count() default = 0 on TimeGenerated from startofday(ago(21d)) to startofday(ago(0d)) step 1d by DeviceVendor | extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(ActualUsage,1.5,-1,'avg',1) | mv-expand ActualUsage to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double),AnomalyScore to typeof(double), ExpectedUsage to typeof(long) | where Anomalies != 0 // Returns all positive and negative deviations from expected usage | project TimeGenerated,ActualUsage,ExpectedUsage,AnomalyScore,Anomalies,DeviceVendor | sort by abs(AnomalyScore) desc