For Security Teams

Threat Hunting in Azure Sentinel

Security analysts and threat hunters spend countless hours hunting through logs to find suspicious patterns. Writing precise KQL queries for SecurityEvent, SigninLogs, and OfficeActivity tables is critical—but so is speed.

Azure Sentinel contains the signals you need to detect threats early. The challenge is translating your investigative intent into the right KQL operators and filters. Below are practical examples that show how to structure queries for common threat-hunting scenarios.

Detect Failed Logon Spikes

Identify unusual patterns of failed authentication attempts across multiple accounts and computers in the last 24 hours.

SecurityEvent (EventID 4625)

KQL Query

SecurityEvent
| where EventID == 4625
| where TimeGenerated > ago(24h)
| summarize FailedCount = count() by Account, Computer
| where FailedCount > 10
| order by FailedCount desc

Suspicious Privilege Escalation

Find instances where user accounts attempt to escalate privileges or access sensitive operations.

SecurityEvent (EventID 4672, 4673)

KQL Query

SecurityEvent
| where EventID in (4672, 4673)
| where TimeGenerated > ago(7d)
| extend PrivilegeList = extract_json("$.Privilege", tostring(EventData), typeof(string))
| summarize EscalationAttempts = count() by Account, Computer, PrivilegeList
| where EscalationAttempts > 3

Speed up threat hunting.

KQL Remix transforms your investigation intent into production-ready queries in seconds. Spend less time typing syntax and more time hunting threats.

Join Waitlist

Explore more KQL operators

View full KQL reference

Other Azure surfaces

Debug exceptions in Application Insights Monitor containers in DevOps