Azure-Sentinel/Detections
v-atulyadav a46293089f
Merge pull request #11294 from atombravo/atombravo-patch-AADHostLoginCorrelations
Update AADHostLoginCorrelation.yaml
2024-10-18 11:14:56 +05:30
..
ASimAuthentication Update imAuthSigninsMultipleCountries.yaml 2024-06-28 12:42:06 +05:30
ASimDNS Update versions 2024-05-10 12:36:09 +10:00
ASimFileEvent Adding FullName 2023-12-14 20:47:06 -08:00
ASimNetworkSession
ASimProcess Update imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml 2024-07-16 02:03:46 +05:30
ASimWebSession Added TTP wherver missing 2024-07-15 10:28:38 +05:30
AWSCloudTrail Business Email Compromise - Financial Fraud 2023-11-01 19:59:30 +05:30
AWSGuardDuty
Anomalies Adding FullName 2023-12-14 20:47:06 -08:00
AuditLogs Update ServicePrincipalAssignedPrivilegedRole.yaml 2024-02-27 06:56:33 -08:00
AzureActivity Update versions 2024-05-10 12:36:09 +10:00
AzureAppServices Updating entity mappings to remove legacy support and map additional entities. 2023-09-25 18:18:25 -07:00
AzureDevOpsAuditing
AzureDiagnostics
AzureFirewall
AzureWAF
BehaviorAnalytics Adding FullName 2023-12-14 20:47:06 -08:00
CiscoUmbrella Removing custom entity mapping 2023-12-29 13:07:38 -08:00
CommonSecurityLog Update MultiVendor-PossibleDGAContacts.yaml 2024-10-17 17:03:56 +05:30
DeviceEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceFileEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceNetworkEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceProcessEvents Testing removal of entity mapping for UPNSuffix to see why I received length failure in GitHub validation code. 2023-09-25 18:55:31 -07:00
DnsEvents
DuoSecurity Added TTP wherver missing 2024-07-15 10:28:38 +05:30
GitHub
Heartbeat Added TTP wherver missing 2024-07-15 10:28:38 +05:30
LAQueryLogs Update versions 2024-05-10 12:36:09 +10:00
MultipleDataSources Update AADHostLoginCorrelation.yaml 2024-10-17 12:58:00 -04:00
OfficeActivity Business Email Compromise - Financial Fraud 2023-11-01 19:59:30 +05:30
ProofpointPOD
PulseConnectSecure Entity Work April 16 2024-04-16 15:01:28 -07:00
QualysVM Add templateids in skip validation file 2023-11-17 09:55:58 +05:30
QualysVMV2
SecurityAlert Update AVSpringShell.yaml 2024-10-07 15:14:14 +05:30
SecurityEvent Update RDP_Nesting.yaml 2024-09-27 14:25:14 +05:30
SecurityNestedRecommendation Update versions 2024-05-10 12:36:09 +10:00
SigninLogs Update ExplicitMFADeny.yaml 2024-07-29 16:59:21 +05:30
Syslog
ThreatIntelligenceIndicator
W3CIISLog Update versions 2024-05-10 12:36:09 +10:00
WindowsEvents
ZoomLogs Merge pull request #10253 from Azure/Entity-Work-April-5 2024-07-24 17:37:26 -07:00
http_proxy_oab_CL Entity Work April 22 2024-04-22 10:34:53 -07:00
readme.md

readme.md

About

This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.

Note: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in Microsoft Sentinel Content Hub. These are available in this repository under Solutions folder. For example, Analytic rules for the McAfee ePolicy Orchestrator solution are found here.

For general information please start with the Wiki pages.

More Specific to Detections:

  • Contribute to Analytic Templates (Detections) and Hunting queries
  • Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
  • These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
  • To enable these detections in your environment follow the out of the box guidance (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
  • The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Incidents tab
  • If you are contributing analytic rule templates as part of a solution, follow guidance for solutions to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com