Instead of just looking for known bad things, how can experts use KQL in Sentinel to find brand new, unknown threats by noticing unusual patterns in how people or computers act?

To find brand new, unknown threats using KQL in Sentinel, experts employ behavioral anomaly detection, which focuses on identifying deviations from established normal behavior patterns of entities like users, computers, or applications. Instead of searching for specific malicious signatures, this method builds a baseline of typical activity and then flags anything significantly unusual. KQL, or Kusto Query Language, is the powerful query language used in Microsoft Sentinel for data exploration and analysis. Sentinel ingests vast amounts of log data, such as `SigninLogs` for user authentication, `SecurityEvent` for Windows events, and `AzureActivity` for Azure resource operations. For anomaly detection, this data must first be normalized, meaning it is parsed into a consistent schema, making it easier to query and analyze uniformly across different data sources. Establishing a baseline is the crucial first step, defining what constitutes "normal" behavior for an entity. This involves using KQL to analyze historical data over a significant period. Time-series analysis is frequently used, where data is grouped into time windows using operators like `bin(TimeGenerated, 1h)` to aggregate events per hour. Statistical aggregations such as `count()`, `avg()`, `sum()`, `stdev()`, and `percentile()` are applied to fields like `Activity`, `SourceIP`, `DestinationIP`, `ResourceGroup`, or `AccountUPN` to understand typical volumes, frequencies, and unique values associated with an e....