Skip to content

In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool).

License

Notifications You must be signed in to change notification settings

ep3p/Sentinel_KQL

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Sentinel KQL

In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool).

You could check other resources like:

GitHub
reprise99/awesome-kql-sentinel (start here)
reprise99/Sentinel-Queries
rod-trent/SentinelKQL
FalconForceTeam/FalconFriday
Cyb3r-Monk/Threat-Hunting-and-Detection
Bert-JanP/Hunting-Queries-Detection-Rules
alexverboon/Azure-Threat-Research-Matrix-KQL
eshlomo1/Microsoft-Sentinel-4-SecOps
Kaidja/Azure-Sentinel
samilamppu/Sentinel-queries
ashwin-patil/blue-teaming-with-kql
le0li9ht/Microsoft-Sentinel-Queries
DanielChronlund/DCSecurityOperations
ugurkocde/KQL_Intune
...

Other links:

Tags Link
[KQL] Kusto Query Language (KQL) Shortcuts
Kusto Query Language (KQL) Regular Expressions Library
KQL Queries Aggregator
[Data sources] sreedharande/IngestOffice365AuditLogs
techcommunity.microsoft.com External Data Sources in Sentinel
Threat Indicator MISP
[Rules] Microsoft Sentinel Analytics Rules Browser
garybushey.com Markdown in Analytics Rules description
medium.com/@tokesisr Mitigate High Ingestion times
[Playbooks] Azure Logic Apps functions reference
Incident Response Playbooks
adr.iaan.be Query LogAnalytics from Logic App
adr.iaan.be Forward Directory Activity Logs User Access Administrator
Accelerynt-Security/AS-IP-Blocklist Logic App IP Address Alert to Conditional Access
Accelerynt-Security/AS-Teams-Integration Logic App to Teams channel
Accelerynt-Security/AS-Domain-Watchlist Logic App Alert Entity to Watchlist
briandelmsft/SentinelAutomationModules triage incidents
[Notebooks] microsoft/msticpy
garybushey.com Machine Learning in Sentinel
[UEBA] https://github.com/oshezaf/Sentinel-Custom-Analytics
cloudbrothers.info UEBA in Microsoft Sentinel
[Azure AD] Azure AD audit activity reference
Azure AD security operations guide
Microsoft SignInLogs Error Codes (ResultType)
acalarch/azure-signinlog-results
merill.net Microsoft Graph Permission Explorer (Old permissions may appear if you write them in the URI path)
msandbu/azuread Azure AD ecosystem picture
[Defender for Cloud] Defender for Cloud alerts
Defender for Cloud recommendations
Defender for Cloud Labs
[Defender for Endpoint] Defender for Endpoint exclusions
Defender for Endpoint performance analyzer
Tweet @SwiftOnSecurity Defender for Endpoint performance analyzer
[Defender for Identity] Defender for Identity alerts
jeffreyappel.nl Defender for Identity configuration
[Blog] garybushey.com Blog Gary Bushey
azurecloudai.blog Blog Microsoft
techcommunity.microsoft.com Blog Microsoft Sentinel
[Training] https://detective.kusto.io/ Game Azure Data Explorer Kusto KQL
Microsoft Sentinel training
Microsoft Sentinel Ninja training
OTRF/Microsoft-Sentinel2Go
tomwechsler/Microsoft_Cloud_Security
kkneomis/kc7
[Control] sreedharande/Microsoft-Sentinel-As-A-Code
www.infernux.no Create templates from your Analytics Rules to start a repository
sreedharande/MS-Sentinel-Bulk-Delete-Threat-Indicators

If you feel generous, I will appreciate if you buy me a coffee :)

"Buy Me A Coffee"

About

In this repository you may find KQL (Kusto Query Language) queries and Watchlist schemes for data sources related to Microsoft Sentinel (a SIEM tool).

Topics

Resources

License

Stars

Watchers

Forks