265a3294ed
* query and playbook commit |
||
|---|---|---|
| .. | ||
| AWSCloudTrail | ||
| AuditLogs | ||
| AzureActivity | ||
| AzureDiagnostics | ||
| CommonSecurityLog | ||
| DnsEvents | ||
| MultipleDataSources | ||
| OfficeActivity | ||
| SecurityEvent | ||
| SigninLogs | ||
| Syslog | ||
| ThreatIntelligenceIndicator | ||
| W3CIISLog | ||
| ZoomLogs | ||
| readme.md | ||
readme.md
About
- This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment.
- These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
- To create the detection in your environment -
- go to the 'Analytics' section
- copy the required query
- update the alert rule parameters according to the detection parameters - copy the name, the description, lookback time, threshold and severity.
- the query will be simulated and you will be able to immediately see if a you have hits based on the detection.
- create the alert rule
- The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Cases page
For questions or feedback, please contact AzureSentinel@microsoft.com