Azure-Sentinel/Detections
Christopher Brumm 86ba8b73cc
Update MailBoxTampering.yaml
Delete EntityMapping for InitiatedBy
2024-11-20 08:47:16 +01:00
..
ASimAuthentication Update imAuthSigninsMultipleCountries.yaml 2024-06-28 12:42:06 +05:30
ASimDNS Update versions 2024-05-10 12:36:09 +10:00
ASimFileEvent Adding FullName 2023-12-14 20:47:06 -08:00
ASimNetworkSession Added skip validations 2023-04-10 18:14:36 +05:30
ASimProcess Update imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml 2024-07-16 02:03:46 +05:30
ASimWebSession Added TTP wherver missing 2024-07-15 10:28:38 +05:30
AWSCloudTrail Business Email Compromise - Financial Fraud 2023-11-01 19:59:30 +05:30
AWSGuardDuty version update 2023-03-01 00:06:08 +05:30
Anomalies Adding FullName 2023-12-14 20:47:06 -08:00
AuditLogs Update ServicePrincipalAssignedPrivilegedRole.yaml 2024-02-27 06:56:33 -08:00
AzureActivity Update versions 2024-05-10 12:36:09 +10:00
AzureAppServices Updating entity mappings to remove legacy support and map additional entities. 2023-09-25 18:18:25 -07:00
AzureDevOpsAuditing skip validations 2022-09-22 19:24:32 +05:30
AzureDiagnostics version update 2023-03-01 00:06:08 +05:30
AzureFirewall version update 2023-03-01 00:06:08 +05:30
AzureWAF addittion 2023-03-24 11:39:30 +05:30
BehaviorAnalytics Adding FullName 2023-12-14 20:47:06 -08:00
CiscoUmbrella Removing custom entity mapping 2023-12-29 13:07:38 -08:00
CommonSecurityLog Update MultiVendor-PossibleDGAContacts.yaml 2024-10-17 17:03:56 +05:30
DeviceEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceFileEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceNetworkEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceProcessEvents Testing removal of entity mapping for UPNSuffix to see why I received length failure in GitHub validation code. 2023-09-25 18:55:31 -07:00
DnsEvents version update 2023-03-01 00:06:08 +05:30
DuoSecurity Added TTP wherver missing 2024-07-15 10:28:38 +05:30
GitHub Detection Migration tagging 2023-07-27 18:01:39 +05:30
Heartbeat Added TTP wherver missing 2024-07-15 10:28:38 +05:30
LAQueryLogs Update versions 2024-05-10 12:36:09 +10:00
MultipleDataSources Update MailBoxTampering.yaml 2024-11-20 08:47:16 +01:00
OfficeActivity Business Email Compromise - Financial Fraud 2023-11-01 19:59:30 +05:30
ProofpointPOD Repackaging ProofPointPOD 2023-03-28 14:17:17 +05:30
PulseConnectSecure Entity Work April 16 2024-04-16 15:01:28 -07:00
QualysVM Add templateids in skip validation file 2023-11-17 09:55:58 +05:30
QualysVMV2 updating Version 2023-03-01 14:42:57 +05:30
SecurityAlert Update AVSpringShell.yaml 2024-10-07 15:14:14 +05:30
SecurityEvent Update RDP_Nesting.yaml 2024-09-27 14:25:14 +05:30
SecurityNestedRecommendation Update versions 2024-05-10 12:36:09 +10:00
SigninLogs Update ExplicitMFADeny.yaml 2024-07-29 16:59:21 +05:30
Syslog version update 2023-03-01 17:36:16 +05:30
ThreatIntelligenceIndicator version update 2023-03-01 17:36:16 +05:30
W3CIISLog Update versions 2024-05-10 12:36:09 +10:00
WindowsEvents Standalone Content Renaming (#7981) 2023-05-08 18:52:09 +05:30
ZoomLogs Merge pull request #10253 from Azure/Entity-Work-April-5 2024-07-24 17:37:26 -07:00
http_proxy_oab_CL Entity Work April 22 2024-04-22 10:34:53 -07:00
readme.md fixed broken McAfee link and improved wording (#6387) 2022-10-31 18:16:32 +05:30

readme.md

About

This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.

Note: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in Microsoft Sentinel Content Hub. These are available in this repository under Solutions folder. For example, Analytic rules for the McAfee ePolicy Orchestrator solution are found here.

For general information please start with the Wiki pages.

More Specific to Detections:

  • Contribute to Analytic Templates (Detections) and Hunting queries
  • Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
  • These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
  • To enable these detections in your environment follow the out of the box guidance (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
  • The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Incidents tab
  • If you are contributing analytic rule templates as part of a solution, follow guidance for solutions to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com