Skip to content

Latest commit

 

History

History

Detections

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
ASimAuthentication
ASimAuthentication
 
 
ASimDNS
ASimDNS
 
 
ASimFileEvent
ASimFileEvent
 
 
ASimNetworkSession
ASimNetworkSession
 
 
ASimProcess
ASimProcess
 
 
ASimWebSession
ASimWebSession
 
 
AWSCloudTrail
AWSCloudTrail
 
 
AWSGuardDuty
AWSGuardDuty
 
 
Anomalies
Anomalies
 
 
AuditLogs
AuditLogs
 
 
AzureActivity
AzureActivity
 
 
AzureAppServices
AzureAppServices
 
 
AzureDevOpsAuditing
AzureDevOpsAuditing
 
 
AzureDiagnostics
AzureDiagnostics
 
 
AzureFirewall
AzureFirewall
 
 
AzureWAF
AzureWAF
 
 
BehaviorAnalytics
BehaviorAnalytics
 
 
CiscoUmbrella
CiscoUmbrella
 
 
CommonSecurityLog
CommonSecurityLog
 
 
DeviceEvents
DeviceEvents
 
 
DeviceFileEvents
DeviceFileEvents
 
 
DeviceNetworkEvents
DeviceNetworkEvents
 
 
DeviceProcessEvents
DeviceProcessEvents
 
 
DnsEvents
DnsEvents
 
 
DuoSecurity
DuoSecurity
 
 
GitHub
GitHub
 
 
Heartbeat
Heartbeat
 
 
LAQueryLogs
LAQueryLogs
 
 
MultipleDataSources
MultipleDataSources
 
 
OfficeActivity
OfficeActivity
 
 
ProofpointPOD
ProofpointPOD
 
 
PulseConnectSecure
PulseConnectSecure
 
 
QualysVM
QualysVM
 
 
QualysVMV2
QualysVMV2
 
 
SecurityAlert
SecurityAlert
 
 
SecurityEvent
SecurityEvent
 
 
SecurityNestedRecommendation
SecurityNestedRecommendation
 
 
SigninLogs
SigninLogs
 
 
Syslog
Syslog
 
 
ThreatIntelligenceIndicator
ThreatIntelligenceIndicator
 
 
W3CIISLog
W3CIISLog
 
 
WindowsEvents
WindowsEvents
 
 
ZoomLogs
ZoomLogs
 
 
http_proxy_oab_CL
http_proxy_oab_CL
 
 
readme.md
readme.md
 
 

readme.md

About

This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.

Note: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in Microsoft Sentinel Content Hub. These are available in this repository under Solutions folder. For example, Analytic rules for the McAfee ePolicy Orchestrator solution are found here.

For general information please start with the Wiki pages.

More Specific to Detections:

  • Contribute to Analytic Templates (Detections) and Hunting queries
  • Specifics on what is required for Detections and Hunting queries is in the Query Style Guide
  • These detections are written using KQL query langauge and will provide you a starting point to protect your environment and get familiar with the different data tables.
  • To enable these detections in your environment follow the out of the box guidance (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
  • The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the SecurityAlert table and in a case in the Incidents tab
  • If you are contributing analytic rule templates as part of a solution, follow guidance for solutions to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.

Feedback

For questions or feedback, please contact AzureSentinel@microsoft.com