Azure-Sentinel/Detections
Shain 62267e05d8
Update ServicePrincipalAssignedPrivilegedRole.yaml
2024-02-27 06:56:33 -08:00
..
ASimAuthentication Adding FullName 2023-12-14 20:47:06 -08:00
ASimDNS EntityWorkJan3 - Manny 2024-01-03 06:59:58 -08:00
ASimFileEvent Adding FullName 2023-12-14 20:47:06 -08:00
ASimNetworkSession Added skip validations 2023-04-10 18:14:36 +05:30
ASimProcess Merge pull request #10050 from Azure/shainw-Dev-0228-entitymapFix 2024-02-26 12:00:31 -08:00
ASimWebSession Version misses 2023-12-14 20:55:42 -08:00
AWSCloudTrail Business Email Compromise - Financial Fraud 2023-11-01 19:59:30 +05:30
AWSGuardDuty version update 2023-03-01 00:06:08 +05:30
Anomalies Adding FullName 2023-12-14 20:47:06 -08:00
AuditLogs Update ServicePrincipalAssignedPrivilegedRole.yaml 2024-02-27 06:56:33 -08:00
AzureActivity Couple more fixes 2023-12-14 22:59:43 -08:00
AzureAppServices Updating entity mappings to remove legacy support and map additional entities. 2023-09-25 18:18:25 -07:00
AzureDevOpsAuditing skip validations 2022-09-22 19:24:32 +05:30
AzureDiagnostics version update 2023-03-01 00:06:08 +05:30
AzureFirewall version update 2023-03-01 00:06:08 +05:30
AzureWAF addittion 2023-03-24 11:39:30 +05:30
BehaviorAnalytics Adding FullName 2023-12-14 20:47:06 -08:00
CiscoUmbrella Removing custom entity mapping 2023-12-29 13:07:38 -08:00
CommonSecurityLog Updating entity mappings to remove legacy support and map additional entities. 2023-09-25 18:18:25 -07:00
DeviceEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceFileEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceNetworkEvents Analytic rules version incremented 2023-11-12 13:42:10 +05:30
DeviceProcessEvents Testing removal of entity mapping for UPNSuffix to see why I received length failure in GitHub validation code. 2023-09-25 18:55:31 -07:00
DnsEvents version update 2023-03-01 00:06:08 +05:30
DuoSecurity Update IPEntity_DuoSecurity.yaml 2023-03-01 10:28:56 +05:30
GitHub Detection Migration tagging 2023-07-27 18:01:39 +05:30
Heartbeat 🐛 Remove preceding newlines in queries 2022-12-28 19:58:31 +11:00
LAQueryLogs updated author name 2023-09-25 18:23:37 -07:00
MultipleDataSources Update Accountcreatedfromnon-approvedsources.yaml 2024-01-25 07:47:15 -08:00
OfficeActivity Business Email Compromise - Financial Fraud 2023-11-01 19:59:30 +05:30
ProofpointPOD Repackaging ProofPointPOD 2023-03-28 14:17:17 +05:30
PulseConnectSecure MetaData tagged for remaining analytics 2022-10-31 18:07:11 +05:30
QualysVM Add templateids in skip validation file 2023-11-17 09:55:58 +05:30
QualysVMV2 updating Version 2023-03-01 14:42:57 +05:30
SecurityAlert Adjusting identifier count per entity type 2023-12-14 22:41:39 -08:00
SecurityEvent version 2024-01-22 08:30:26 -08:00
SecurityNestedRecommendation version update 2023-03-01 17:36:16 +05:30
SigninLogs Merge branch 'master' into Entity-Work-#5-Diana's-Half 2023-12-28 14:35:29 -08:00
Syslog version update 2023-03-01 17:36:16 +05:30
ThreatIntelligenceIndicator version update 2023-03-01 17:36:16 +05:30
W3CIISLog adjustments 2023-12-28 14:22:21 -08:00
WindowsEvents Standalone Content Renaming (#7981) 2023-05-08 18:52:09 +05:30
ZoomLogs 🐛 Remove preceding newlines in queries 2022-12-28 19:58:31 +11:00
http_proxy_oab_CL Standalone Content Renaming (#7981) 2023-05-08 18:52:09 +05:30
readme.md fixed broken McAfee link and improved wording (#6387) 2022-10-31 18:16:32 +05:30

readme.md

About

This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.

Note: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in Microsoft Sentinel Content Hub. These are available in this repository under Solutions folder. For example, Analytic rules for the McAfee ePolicy Orchestrator solution are found here.

For general information please start with the Wiki pages.

More Specific to Detections:

  • Contribute to Analytic Templates (Detections) and Hunting queries
  • Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
  • These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
  • To enable these detections in your environment follow the out of the box guidance (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
  • The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Incidents tab
  • If you are contributing analytic rule templates as part of a solution, follow guidance for solutions to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com