Skip to content
/ AzSentinelQueries Public

Repository with Sentinel Analytics Rules, Hunting Queries and helpful external data sources.

cloudbrothers.info/en/azure-attack-paths/
62 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

f-bader/AzSentinelQueries

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

94 Commits
.github
.github
 
 
AnalyticsRules
AnalyticsRules
 
 
ExternalData
ExternalData
 
 
HuntingQueries
HuntingQueries
 
 
LogicApps
LogicApps
 
 
images
images
 
 
README.md
README.md
 
 

Repository files navigation

Microsoft Sentinel hunting queries and Analytics rules

Azure Attack Paths

Initially the queries and Analytics Rules in this repository were related to the Azure Attack Paths blog post. Over time, I also add new Analytics Rules that are related to other blog posts if mine.

All queries are ready to be used in Microsoft Sentinel.

HuntingQueries

  1. Azure VM Run Command or Custom Script execution
  2. Changes to Azure Lighthouse delegation
  3. Grant high privilege Azure AD role to identity
  4. Grant high privilege Microsoft Graph permissions

AnalyticsRules

External data sources

Some external data sources need additional modification or are not available through the externaldata function directly. In that case I will add them here.

Source Description Modification Reason
https://mask-api.icloud.com/egress-ip-ranges.csv Current list of all IP addresses of the iCloud Private Relay service.
https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/		 Added column to distiguish between IPv4 and IPv6 externaldata cannot fetch the CSV from Apple servers
https://www.gstatic.com/g1vpn/geofeed Current list of all IP addresses of the Google One VPN service.
https://one.google.com/about/vpn/howitworks		 Added column to distiguish between IPv4 and IPv6 externaldata cannot fetch the CSV from Google server
https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes Microsoft File systems driver allocated filter altitudes Convert from markdown to csv

Logic Apps

Along some of my blog posts I release Logic Apps related to Microsoft Sentinel. Those

Filename Blogpost
SyncDfCAlertsWithSentinelIncidents-SMI.arm.json Sync Defender for Cloud Alerts with Sentinel Incidents
SyncDfCAlertsWithSentinelIncidents-UMI.arm.json Sync Defender for Cloud Alerts with Sentinel Incidents
AutoCloseAppleiCloudPrivateRelayIncidents.arm.json Anonymous IP address involving Apple iCloud Private Relay
Template.arm.json Empty Logic App template containing all things required for a Sentinel Incident Playbook

About

Repository with Sentinel Analytics Rules, Hunting Queries and helpful external data sources.

cloudbrothers.info/en/azure-attack-paths/

Topics

sentinel threat-hunting hacktoberfest kusto kql detections analytic-rules

Resources

Readme
Activity

Stars

62 stars

Watchers

4 watching

Forks

14 forks
Report repository

Contributors 4

  •  
  •  
  •  
  •