After Lab 5.6 — Anomaly Detection Recap
After Lab 5.6 — Anomaly Detection Recap
In this lab you wrote KQL queries to detect anomalous patterns in your Day 5 environment — error spikes, unusual endpoint access, and Key Vault audit events. Here's what you learned and how it fits into the bigger picture.
What You Learned
1. Error Spike Detection
You wrote a query to find unusual error rates — a common indicator of an attack or misconfiguration:
AppExceptions
| where TimeGenerated > ago(1h)
| summarize count() by bin(TimeGenerated, 5m), ReasonSummary
| render timechart2. Unusual Endpoint Access
You used KQL's top operator to find endpoints being accessed unusually often — a sign of scanning or enumeration:
AppRequests
| where TimeGenerated > ago(1h)
| extend Path = extract(@"/([^?]+)", 1, tostring(requestUrl))
| summarize RequestCount = count() by Path
| top 20 by RequestCount3. Cross-Plane Correlation
You correlated Azure Activity Log events (management plane) with application errors (data plane) to identify if a management action triggered application-level issues.
4. Key Vault Audit Analysis
You analyzed Key Vault audit logs to detect failed access attempts — a sign of unauthorized access attempts.
5. Unusual Sign-in Patterns
You queried Azure AD SigninLogs to find anomalous sign-in patterns — such as repeated failed login attempts or logins from unexpected locations using administrative tools like PowerShell or Azure CLI. This helps identify potential credential compromise or unauthorized access attempts.
Anomaly Detection vs Rule-Based Detection
| Approach | What it catches | False positives | Production tooling |
|---|---|---|---|
| Rule-based (Policies, alerts) | Known patterns | Low | Azure Policy, Defender for Cloud |
| Anomaly-based (KQL, ML) | Unknown patterns | Higher | Azure Sentinel, Log Analytics |
Key insight: Anomaly detection complements rule-based detection. Rules catch what you know to look for; anomaly detection catches what you didn't think to look for.
Production Considerations
In a production environment, the KQL queries you wrote would be:
- Converted into Azure Sentinel analytics rules — automated detection with alerting
- Connected to Logic Apps — automated response actions (notification, containment, etc.)
- Tuned against baselines — reducing false positives by comparing against historical data
As the theory page on Anomaly Detection explains: "Use Defender for Cloud as your baseline, then write custom queries for the specific threats that matter to your organisation."
What's Next?
In the Day 5 wrap-up, you'll connect everything together — seeing how compliance, policy, automation, and anomaly detection fit together with all five days of the course.