How to calculate the shannon entropy for a string or number with azure sentinel logs using KQL

Robert Feldman 21 Reputation points
2021-11-15T09:46:18.403+00:00

This seems to be available on other platforms, eg. splunk. Have I missed something?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
606 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 20,596 Reputation points Microsoft Employee
    2021-11-15T19:33:47.25+00:00

    This is the Azure Sentinel entropy calculation that currently exists. This is used to identify Hosts where they have a high variety of entropy processes. https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/ProcessEntropy.yaml

    I believe this is all that exists currently, but if you provide more details about your scenario I would be happy to reach out to the Sentinel team and request a sample or documentation.