Home / Explore our latest insights / Microsoft Sentinel Spotlight - May 2023

Published: 30th May 2023 | In: Insights

In our second Microsoft Sentinel Spotlight, we look at KQL coding and Microsoft’s latest previews for Workspace Manager and Hunts. Our security partner has also launched a great new dashboard that enhances their threat intelligence reporting capabilities. Finally, we share what our Detection team is working on to improve our services.

KQL coding

Another good article, if you are interested in Kusto Query Language (KQL), is from Matt Zorich at Microsoft about the use of mv-expand() and mv-appy() operators. These two operators are common in many of the Sentinel Analytics, and this is one of the best walkthroughs of their use. If you are getting into producing your own KQL this is a “must read”.

The relevant teams in Quorum Cyber, like Detections, SOC and on-boarding, are all very familiar with how these are used, and they’re common in much of our work.

Have a JSON headache in KQL? Try mv-expand or mv-apply – Microsoft Sentinel 101 (learnsentinel.blog)


IBM is adopting KQL in their QRadar product, KQL compatibility – IBM Documentation.

KQL has broad support within Microsoft – it’s the language of Sentinel – but it’s good to see its influence spread to other security vendors.

Workspace Manager (preview) in Sentinel

This was a private preview feature we were tracking for a while and have started to adopt now that it’s more broadly available. We’ve found that the name, or use of it, confused some people. Basically, it’s a deployment tool that allows Quorum Cyber to deploy certain Sentinel components to you. It currently covers items like:

  • Rules
  • Parsers
  • Automation rules
  • Workbooks
  • Queries

We have no plans to swap to Workspace Manager for delivering the Detection Rules (we prefer our Pipeline deployment tool as it’s very fine-grained and controllable). However, we are adopting it for delivering Workbooks to you very soon, with other items in due course.

Manage multiple Microsoft Sentinel workspaces with workspace manager | Microsoft Learn

Hunts (preview)

Proactive threat hunting is a process where security analysts seek out undetected threats and malicious behaviours. By creating a hypothesis, searching through data, and validating that hypothesis, they determine what to act on. Actions can include creating new detections, new threat intelligence, or spinning up a new incident.

This is a feature that our SOC and Threat Intelligence teams are now exploring (but you can as well if threat hunting interests you).

Source: Conduct end-to-end threat hunting with Hunts – Microsoft Sentinel | Microsoft Learn

Open AI (the Microsoft ChatGPT equivalent)

Sign up here to register for the new newsletter on this topic.

Microsoft Defender Threat Intelligence (MDTI) reporting

Strategic threat intelligence involves gathering and analysing information to identify potential threats to an organisation’s security. This proactive approach helps companies anticipate and mitigate potential security risks. Reporting plays a crucial role in strategic threat intelligence by providing insights and data-driven recommendations to decision-makers. Threat intelligence reports are designed to deliver accurate and actionable information, enabling organisations to take appropriate measures to protect against potential threats.

In this blog post, we are excited to announce the launch of a new dashboard that enhances Microsoft’s threat intelligence reporting capabilities. This dashboard provides a user-friendly interface that enables organisations to easily access and analyse threat intelligence data. With this new tool, decision-makers can make informed decisions to strengthen their security posture and protect against potential threats. In this post, we’ll delve into the features of this dashboard and explore the benefits that each of the intelligence reporting it enables.

Source: What’s New: Defender TI Intel Reporting Dashboard and Workbook – Microsoft Community Hub

Detection Engineering

This month, the Detection team has taken on a new project (along with the daily work) focussed on doing things earlier and filling in the gaps. But what do I mean by these?

Doing things early

We get good insight from our Pre-Sales, Threat Intelligence and SOC teams on what products or services our customers are likely to adopt in the next few months that are new in the Sentinel eco-system. We are speeding our adoption process up where we can for these. We are looking at the requests and adopting analytics into our library, some without the data (which isn’t preferred), so they are either ‘ready’ but untested, or ready and tested. We also do some initial tuning work (if we have the data) and make sure we are happy with the code supplied (which often means adding extra information we know our SOC needs to investigate with).

A lot of these tasks happened later in the on-boarding process, so this means that we should be ready to deploy earlier (subject to final checks in each customer).

Filling the gaps

With Sentinel, Microsoft provides us with many out-of-the-box rules, some we adopt “as is”, some we take and modify (as mentioned above). However, there are many solutions in Microsoft Sentinel that don’t have an example detection. These can be from Microsoft but more commonly from third-party solutions. We often call these “passive connectors” e.g., you bring in the data but there are no detections against it. Some organisations do bring in this data for them or us to do threat hunting against, so not having a detection can be valid. However, for most, you’d assume if you have the data, you’d expect a detection or detections to be available.

A detection typically takes an engineer a day to produce and get Quality Assured (QA) then ready to be deployed (the process can take a week or two, but it averages to a day’s effort).


We’ve mainly been looking at the “Doing things early” tasks in the past month.

New products added (or updated), include:

  • Azure Key Vault
  • McAfee
  • Darktrace
  • Networking Essentials (this was in last month’s newsletter and provided coverage to many firewall products)
  • VMware vCenter and ESXi
  • DNS Essentials

Upcoming products we are looking at or planning are:

  • Zscaler
  • Azure DevOps
  • Salesforce
  • CrowdStrike
  • Google Cloud Platform (GCP)