Azure-Sentinel/Detections
..
ASimAuthentication
ASimDNS
ASimFileEvent
ASimNetworkSession
ASimProcess
ASimWebSession
AWSCloudTrail
AWSGuardDuty
Anomalies
AuditLogs
AzureActivity
AzureAppServices
AzureDevOpsAuditing
AzureDiagnostics
AzureFirewall
AzureWAF
BehaviorAnalytics
CiscoUmbrella
CommonSecurityLog
DeviceEvents
DeviceFileEvents
DeviceNetworkEvents
DeviceProcessEvents
DnsEvents
DuoSecurity
GitHub
Heartbeat
LAQueryLogs
MultipleDataSources
OfficeActivity
ProofpointPOD
PulseConnectSecure
QualysVM
QualysVMV2
SecurityAlert
SecurityEvent
SecurityNestedRecommendation
SigninLogs
Syslog
ThreatIntelligenceIndicator
W3CIISLog
WindowsEvents
ZoomLogs
http_proxy_oab_CL
readme.md

readme.md

About

This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.

Note: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in Microsoft Sentinel Content Hub. These are available in this repository under Solutions folder. For example, Analytic rules for the McAfee ePolicy Orchestrator solution are found here.

For general information please start with the Wiki pages.

More Specific to Detections:

  • Contribute to Analytic Templates (Detections) and Hunting queries
  • Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
  • These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
  • To enable these detections in your environment follow the out of the box guidance (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
  • The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Incidents tab
  • If you are contributing analytic rule templates as part of a solution, follow guidance for solutions to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com