//Cyber.Engineer

Azure Sentinel: Querying for your Cyber Threat Indicators

All CTI entries aren't just available to view in the "Threat Intelligence" page - they are stored in the Log Analytics Workspace table "ThreatIntelligenceIndicator". Here you will find the manually submissions, but also any automated feeds from STIX/TAXII.

General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloud

General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloud

KQL Cheatsheet

A page full of useful KQL queries when you need to look for some quick ideas Searching // Search all tables and all data for a keyword. This will look across everything. It's very useful, but can be intensive and may even time out. Make sure to squash the time span

Whitelisting your client's IP Range in MCAS

How to whitelist corporate IP range in Microsoft Cloud App Security. Ultimately reducing false positives in your SOC.

//Cyber.Engineer © 2026