История

Ajeet Prakash (MSTIC) 7683f1f965 Updated queries as per suggestions from Shain.		2022-04-05 11:02:20 -07:00
..
ASimProcess	ASIM renames	2022-03-02 15:05:56 -08:00
ASimRegistry	ASIM renames	2022-03-02 15:05:56 -08:00
AWSCloudTrail	more fixes	2021-08-06 14:29:41 -07:00
AWSS3	Fixes	2021-08-06 14:12:37 -07:00
AuditLogs	Merge pull request #1605 from setprice2245/patch-1	2021-11-21 11:51:53 -08:00
AzureActivity	Changing _SubscriptionId to SubscriptionId as schema was updated awhile back. These still run, but we need to be using the update field name.	2022-03-29 16:24:50 -07:00
AzureDevOpsAuditing	Revert "Revert "Merge branch 'master' of https://github.com/Azure/Azure-Sentinel ""	2022-01-03 16:21:46 +02:00
AzureDiagnostics	Updated queries as per suggestions from Shain.	2022-04-05 11:02:20 -07:00
AzureStorage	Updating connector to MicrosoftThreatProtection	2022-03-07 09:52:34 -08:00
BehaviorAnalytics	Updating queries with common timestamp param to support future features.	2021-09-10 10:10:13 -07:00
CommonSecurityLog	Update PaloAlto-HighRiskPorts.yaml	2022-01-19 12:09:40 +05:30
DnsEvents	Remove Duplicate Query in Filter for Known Domains Using Long DNS	2022-02-22 15:35:02 +08:00
GitHub	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
LAQueryLogs	Merge pull request #2803 from Azure/pebryan/2021-8-9_Watchlists	2021-08-19 13:13:18 -07:00
Microsoft 365 Defender	Update riskySignInToElevateAccess.yaml	2022-03-24 16:08:42 +00:00
MultipleDataSources	Merge pull request #4529 from Azure/shainw-MultiDS_Fixes	2022-03-29 18:14:36 -07:00
OfficeActivity	Add conditions in OfficeMailForwarding_hunting.yaml	2022-01-10 10:49:45 +01:00
ProofpointPOD	Fixes	2021-08-06 14:12:37 -07:00
SQLServer	Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.	2021-11-09 18:41:23 -08:00
SecurityAlert	replacing deprecated parsejson with parse_json	2021-08-17 12:26:48 -07:00
SecurityEvent	Impacket query + addition of latest Azure IP ranges	2022-03-10 14:24:30 -08:00
SigninLogs	Merge pull request #4506 from thmcelro/advanced-hunting-tom	2022-03-25 10:15:20 -07:00
Syslog	Adding with changes	2022-03-31 16:38:02 -07:00
ThreatIntelligenceIndicator	Updating TI queries based on feedback and discussions on this PR - #3477 - and I don't want preferences for a specific environment to be included. This includes generic changes that need to be done.	2021-11-29 13:58:28 -08:00
W3CIISLog	Entity mapped	2022-03-10 13:37:52 +05:30
WireData	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
ZoomLogs	Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate.	2021-08-12 10:58:18 -07:00
QUERY_TEMPLATE.md	Couple additional fixes	2021-02-01 08:22:36 -08:00
readme.md	Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries.	2021-11-09 18:41:23 -08:00

readme.md

About

This folder contains Hunting Queries based on different types of data sources that you can leverage in order to perform broad threat hunting in your environment.

For general information please start with the Wiki pages.

More Specific to Hunting Queries:

Contribute to Analytic Templates (Detections) and Hunting queries
Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
These hunting queries are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
Get started and learn how to hunt for threats in your environment with Microsoft Sentinel.

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com