https://github.com/joelst/sentinel

Collection of Microsoft Sentinel scripts, queries, and nicknacks
https://github.com/joelst/sentinel

azure-sentinel defender defender-for-endpoint microsoft-sentinel sentinel

Last synced: 3 months ago
JSON representation

Collection of Microsoft Sentinel scripts, queries, and nicknacks

• Host: GitHub
• URL: https://github.com/joelst/sentinel
• Owner: joelst
• License: apache-2.0
• Created: 2024-04-30T16:29:22.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-02-05T01:19:47.000Z (4 months ago)
• Last Synced: 2025-02-05T02:27:49.722Z (4 months ago)
• Topics: azure-sentinel, defender, defender-for-endpoint, microsoft-sentinel, sentinel
• Language: PowerShell
• Homepage:
• Size: 91.8 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Microsoft Sentinel Resources

This repo has random bits a pieces of collected Sentinel scripts, queries, and knicknacks. Below is a collection of resources that may be helpful in learning about Sentinel.

## Microsoft Sentinel

 -  [What is Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/overview?tabs=azure-portal)

 -  [Official Sentinel GitHub (many gems to be found here!)](https://github.com/azure/azure-sentinel)

 -  [Sentinel Ninja Training](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/become-a-microsoft-sentinel-ninja-the-complete-level-400-training/1246310)

## KQL Resources

  - [Kusto Query Language | KQLQuery.com](https://kqlquery.com/)

  - [marcusbakker/KQL: Kusto Query Language Cheat Sheet](https://github.com/marcusbakker/KQL)

  - [Pluralsight: KQL from scratch](https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch)

  - [Kusto Detective Agency](https://detective.kusto.io/)

  - [Cloud Academy: Introduction to Kusto Query Language](https://cloudacademy.com/lab/introduction-to-kusto-query-language/)

  - Rod Trent's trove of KQL resources

    - [rodtrent/MustLearnKQL Book](https://github.com/rod-trent/MustLearnKQL)

    - [Purchase MustLearnKQL Book (Amazon)](https://amzn.to/39maJSX)

    - [MustLearnKQL YouTube Channel](https://youtu.be/rcy2uSMLyqo)

    - [The KQL Mysteries series by Rod Trent](https://github.com/rod-trent/KQLMysteries)

## Analytics, Detection, and Hunting

  - [reprise99 Collection of KQL queries](https://github.com/reprise99/Sentinel-Queries)

  - [f-bader Repository with Sentinel Analytics Rules, Hunting Queries and helpful external data sources.](https://github.com/f-bader/AzSentinelQueries)

  - [ep3p Sentinel KQL (Kusto Query Language) queries and Watchlist schemes.](https://github.com/ep3p/Sentinel_KQL)

  - [rod-trent Azure Sentinel KQL](https://github.com/rod-trent/SentinelKQL)

  - [cyb3rmik3  KQL queries focused on threat hunting and threat detecting for Microsoft Sentinel & Microsoft XDR](https://github.com/cyb3rmik3/KQL-threat-hunting-queries)

  - [Bert-JanP Sentinel and Defender Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules?tab=readme-ov-file)

  - [FalconForceTeam/FalconFriday: Hunting queries and detections](https://github.com/FalconForceTeam/FalconFriday)

  - [FalconForceTeam/KQLAnalyzer: REST server that can analyze Kusto KQL queries against the Sentinel and Microsoft 365 Defender schemas.](https://github.com/FalconForceTeam/KQLAnalyzer)

  - [wortell/KQL: KQL queries for Advanced Hunting](https://github.com/wortell/KQL)

  - [Bert-JanP/MDE-DFIR-Resources: A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.](https://github.com/Bert-JanP/MDE-DFIR-Resources)

## Workbooks and PowerBI

  - [Commonly Used Sentinel Workbooks](https://learn.microsoft.com/en-us/azure/sentinel/top-workbooks)

  - [Advanced Workbook Concepts](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/advanced-workbook-concepts-with-workbooks-202/3784676)

## Playbooks and Automation

  - [Bert-JanP/Sentinel-Automation: Sentinel Logic Apps/Playbooks to automate enrichment, incident analysis and more.](https://github.com/Bert-JanP/Sentinel-Automation)

  - [Sentinel Triage Assistant](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-the-microsoft-sentinel-triage-assistant-stat/3845846)

    

## Threat Intelligence

  - [Bert-JanP/Open-Source-Threat-Intel-Feeds: Open Source freely usable Threat Intel feeds](https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds)

## Notebooks and Machine Learning

  - [Sentinel Introduction to Jupyter Notebooks](https://learn.microsoft.com/en-us/azure/sentinel/notebooks)

  - [Creating your first Sentinel Jupyter Notebook](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/creating-your-first-microsoft-sentinel-notebook/2977745)

## Collecting Logs and Azure Monitor Agent

  -  [MMA to AMA Migration](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration)

## SOC Optimization

  - SOON

## Retention

  - SOON

## Defender XDR 

- [Defender XDR Ninja Training](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/become-a-microsoft-defender-xdr-ninja/1789376)

## General SIEM / Logging Resources

  - [Syslog message formats](https://help.deepsecurity.trendmicro.com/10_2/azure/Events-Alerts/syslog-parsing.html)