https://github.com/reprise99/awesome-kql-sentinel

A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel
https://github.com/reprise99/awesome-kql-sentinel

List: awesome-kql-sentinel

Last synced: 3 months ago
JSON representation

A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel

• Host: GitHub
• URL: https://github.com/reprise99/awesome-kql-sentinel
• Owner: reprise99
• Created: 2022-01-21T11:12:26.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2023-02-08T20:10:56.000Z (over 1 year ago)
• Last Synced: 2024-05-19T20:03:38.599Z (6 months ago)
• Size: 29.3 KB
• Stars: 193
• Watchers: 12
• Forks: 51
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md

Awesome Lists containing this project

• ultimate-awesome - awesome-kql-sentinel - A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel. (Other Lists / PowerShell Lists)

README

        
# awesome-kql-sentinel

A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel

> Community contributions are most welcome! Check out our [contribution guide](./CONTRIBUTING.md) today and submit a **pull request** with any adds/removes/changes to content!

## Table Of Contents

- [Official](#Official)

  - [Learn](#Official-Learn)

  - [Docs](#Official-Docs)

  - [Videos](#Official-Videos)

  - [Books](#Official-Books)

  - [Announcements and Articles](#Official-Announcements-and-Articles)

  - [Repositories and Tools](#Official-Repositories-and-Tools)

  - [Forums and Websites](#Official-Forums-and-Websites)

- [Community](#Community)

  - [Videos](#Community-Videos)

  - [Podcasts](#Community-Podcasts)

  - [Books](#Community-Books)

  - [Articles](#Community-Articles)

  - [Tools and Websites](#Community-Tools-and-Websites)

  - [Repositories](#Community-Repositories)

  - [Forums](#Community-Forums)

  - [Twitter Resources](#twitter)

### Official Learn

[Back To Top](#Table-Of-Contents)

- [Addicted to KQL](https://github.com/rod-trent/AddictedtoKQL)

- [KQL - The Next Query Language You Need to Learn](https://docs.microsoft.com/en-us/shows/data-exposed/kql-the-next-query-language-you-need-to-learn)

- [Learning path SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)](https://docs.microsoft.com/en-us/learn/paths/sc-200-utilize-kql-for-azure-sentinel/)

- [MustLearnKQL - Video Series](https://www.youtube.com/watch?v=rcy2uSMLyqo&list=PLD7rlIrZEkLgiRbIs_5JXIxzu-5tpoDbd)

- [MustLearnKQL](https://github.com/rod-trent/MustLearnKQL)

- [Tutorial: Use Kusto queries](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor)

- [Write your first query with Kusto Query Language](https://docs.microsoft.com/en-us/learn/modules/write-first-query-kusto-query-language/)

### Official Docs

[Back To Top](#Table-Of-Contents)

- [Built-in threat detection rules](https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-built-in)

- [KQL quick reference](https://docs.microsoft.com/en-us/azure/data-explorer/kql-quick-reference)

- [Kusto Query Language in Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/kusto-overview)

- [Microsoft Sentinel Docs](https://docs.microsoft.com/en-us/azure/sentinel/)

- [Query best practices](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices)

- [Splunk to Kusto Query Language map](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/splunk-cheat-sheet)

- [SQL to Kusto cheat sheet](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet)

- [What's new in Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/whats-new)

### Official Videos

[Back To Top](#Table-Of-Contents)

- [Automate Your Microsoft Sentinel Triage Efforts with RiskIQ Threat Intelligence](https://www.youtube.com/watch?v=8vTVKitim5c)

- [Azure Sentinel Webinar: Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content](https://youtu.be/zaqblyjQW6k)

- [Azure Sentinel webinar: KQL part 1 of 3 - Learn the KQL you need for Azure Sentinel](https://youtu.be/EDCBLULjtCM)

- [Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises](https://youtu.be/YKD_OFLMpf8)

- [Azure Sentinel webinar: KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance](https://youtu.be/jN1Cz0JcLYU)

- [Azure Sentinel Webinar: The Information Model: Understanding Normalization in Azure Sentinel](https://youtu.be/WoGD-JeC7ng)

- [Become a Notebooks Ninja – Getting Started with Jupyter Notebooks - Microsoft Sentinel Webinar](https://youtu.be/JLOhfoovASE)

- [Deploy and Monitor Azure Key Vault Honeytokens with Microsoft Sentinel](https://youtu.be/LZoj0fqcfQY)

- [Fusion ML Detections for Emerging Threats & Configuration UI](https://youtu.be/bTDp41yMGdk) 

- [KQL Framework for Microsoft Sentinel - Empowering You to Become KQL-Savvy](https://youtu.be/j7BQvJ-Qx_k)

- [Latest Innovations for Microsoft's Cloud Native SIEM Recording - Microsoft Sentinel Webinar](https://youtu.be/kGctnb4ddAE)

- [M365 Defender - Kusto query language basics](https://www.microsoft.com/videoplayer/embed/RWRwfJ)

- [M365 Defender - Using Advanced Hunting](https://www.microsoft.com/videoplayer/embed/RE4G6DO)

- [Microsoft Security Insights Podcast - Twitch](https://www.twitch.tv/microsoftsecurityinsights)

- [Microsoft Sentinel Content Management](https://youtu.be/3iF__S-_v7A)

- [Microsoft Sentinel in the Field: Part 1 - Managing security content as code](https://www.youtube.com/watch?v=vqLqJhaFNBk)

- [Microsoft Sentinel in the Field: Part 2 - Learning with the training lab](https://www.youtube.com/watch?v=cAJEiPqocK4)

- [Microsoft Sentinel in the Field: Part 3 - Deception in Microsoft Sentinel](https://www.youtube.com/watch?v=3mWHcIfa60o)

- [Present and Future of EUBA](https://www.youtube.com/watch?v=dLVAkSLKLyQ)

### Official Books

[Back To Top](#Table-Of-Contents)

- [Azure Sentinel Technical Playbook for MSSPs](https://aka.ms/azsentinelmssp)

### Official Announcements and Articles

[Back To Top](#Table-Of-Contents)

- [Advanced KQL Framework Workbook - Empowering you to become KQL-savvy](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/advanced-kql-framework-workbook-empowering-you-to-become-kql/ba-p/3033766)

- [Defending Critical Infrastructure with the Microsoft Sentinel: IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)

- [Get Hands-On KQL Practice with this Microsoft Sentinel Workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/get-hands-on-kql-practice-with-this-microsoft-sentinel-workbook/ba-p/3055600)

- [How To Align Your Analytics With Time Windows In Azure Sentinel Using KQL (Kusto Query Language)](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-align-your-analytics-with-time-windows-in-azure-sentinel/ba-p/1667574)

- [Investigating Suspicious Azure Activity with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/investigating-suspicious-azure-activity-with-microsoft-sentinel/ba-p/2985699)

- [Learning with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403)

- [Leveraging the Power of KQL in Incident Response](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/leveraging-the-power-of-kql-in-incident-response/ba-p/3044795)

- [Log sources and analytics rules coverage workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/log-sources-and-analytics-rules-coverage-workbook-see-how-your/ba-p/3124444)

- [Microsoft Sentinel – continuous threat monitoring for GitHub](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-continuous-threat-monitoring-for-github/ba-p/3037154)

- [Using External Data Sources To Enrich Network Logs Using Azure Storage And KQL](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-external-data-sources-to-enrich-network-logs-using-azure/ba-p/1450345)

### Official Repositories and Tools

[Back To Top](#Table-Of-Contents)

- [azure/azure-sentinel](https://github.com/Azure/Azure-Sentinel)

- [Kusto Explorer](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer)

- [Log Analytics demo environment](https://ms.portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade)

- [microsoft/Kusto-Query-Language](https://github.com/microsoft/Kusto-Query-Language)

### Official Forums and Websites

[Back To Top](#Table-Of-Contents)

- [Microsoft Security Community - Youtube](https://www.youtube.com/c/MicrosoftSecurityCommunity)

- [Microsoft Security Insights - Podcast](https://open.spotify.com/show/5GnrHASof2GBIV3h53wnUK)

- [Microsoft Sentinel Blog](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog)

- [Microsoft Sentinel TechCommunity](https://techcommunity.microsoft.com/t5/microsoft-sentinel/bd-p/MicrosoftSentinel)

## Community

> Links below are from community sources, websites, and channels.

### Community Videos

[Back To Top](#Table-Of-Contents)

- [Azure Sentinel Lab Series](https://www.youtube.com/playlist?list=PLM3TOIlrnaI6B9ikTWz8A0FY812ZqBO3_)

- [AzureFunBytes Episode 64 - Building SOC Efficiency with @Azure Sentinel with @rodtrent](https://youtu.be/wuqCjUmOFV0)

- [GrayHat 2020 - Blue Teaming with Kusto Query Language, KQL - Ashwin Patil](https://www.youtube.com/watch?v=IMZkqTEBFeA)

- [Managing Microsoft Sentinel using GIT repositories](https://youtu.be/A-rL3JIwEQ4)

- [Setting up your first Azure Sentinel environment in 50 minutes](https://www.youtube.com/watch?v=29T8sWQPOxQ)

- [Using Azure Sentinel to protect Microsoft Teams](https://www.youtube.com/watch?v=5fRmfUVMEPY)

### Community Podcasts

[Back To Top](#Table-Of-Contents)

- [KQL | Cafe](https://kqlcafe.github.io/website/)

### Community Books

[Back To Top](#Table-Of-Contents)

- [Microsoft 365 Security eBook](https://m365securitybook.com/)

- [Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide](https://www.amazon.com/Microsoft-Security-Operations-Analyst-Certification-ebook/dp/B09R4SC4S5/ref=sr_1_1?crid=2OASBP4AR09EE&keywords=Microsoft+Security+Operations+Analyst+Exam+Ref+SC-200&qid=1644445540&s=digital-text&sprefix=microsoft+security+operations+analyst+exam+ref+sc-200%2Cdigital-text%2C301&sr=1-1)

- [Microsoft Sentinel in Action](https://www.amazon.com/Microsoft-Sentinel-Action-Architect-implement-dp-1801815534/dp/1801815534/ref=dp_ob_title_bk)

### Community Articles

[Back To Top](#Table-Of-Contents)

- [Azure Sentinel Syslog Workbook](https://www.cloudsma.com/2020/05/azure-sentinel-syslog-workbook/)

- [Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR](https://jeffreyappel.nl/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr/)

- [Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel](https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/)

- [How to Use Office 365 Audit Data with Microsoft Sentinel](https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/)

- [Hunting For Anomalies With Time-Series Analysis](https://m365internals.com/2021/02/16/hunting-for-anomalies-with-time-series/)

- [Hunting Log4j with Sentinel](https://www.eshlomo.us/hunting-log4j-with-sentinel/)

- [Keep an eye on your Azure AD guests with Microsoft Sentinel](https://learnsentinel.blog/2021/11/04/keep-an-eye-on-your-azure-ad-guests-with-microsoft-sentinel)

- [KQL Cheat Sheet](https://www.mbsecure.nl/blog/2019/12/kql-cheat-sheet)

- [KQLCeption – use KQL to investigate Microsoft Sentinel](https://learnsentinel.blog/2022/01/24/kqlception/)

- [Kusto Make-Series vs Summarize](https://www.cloudsma.com/2021/04/kusto-make-series-vs-summarize/)

- [Log4j Incident Response](https://www.eshlomo.us/log4j-incident-response/)

- [Microsoft Sentinel – How to Leverage built-in Amazon Web Services S3 Data Connector](https://samilamppu.com/2022/01/17/microsoft-sentinel-how-to-leverage-built-in-amazon-web-services-s3-data-connector/)

- [Microsoft Sentinel and the power of functions](https://learnsentinel.blog/2021/12/16/microsoft-sentinel-and-the-power-of-functions/)

- [Monitor Microsoft Sentinel Data Connectors using Health Monitoring and Logic App](https://jeffreyappel.nl/monitor-microsoft-sentinel-data-connectors-using-health-monitoring-and-logic-app/)

- [Monitoring of GitHub Enterprise with Microsoft Sentinel](https://www.cloud-architekt.net/github-enterprise-monitoring-sentinel/)

- [Ollie, your personal Microsoft Sentinel assistant](https://thecollective.eu/blog/ollie-your-personal-microsoft-sentinel-assistant/)

- [Optimize your Microsoft Sentinel pricing](https://medium.com/wortell/optimize-microsoft-sentinel-pricing-ca9901840b75)

- [Set up Microsoft Sentinel as a single pane of glass for Microsoft 365 alerts](https://practical365.com/set-up-microsoft-sentinel-as-a-single-pane-of-glass-for-microsoft-365-alerts/)

- [Setting up a bidirectional sync between Sentinel and JIRA](https://thecollective.eu/news/setting-up-a-bidirectional-sync-between-sentinel-and-jira/)

- [Tag domain controllers automatically in Defender for Endpoint using KQL, Logic App, and API](https://jeffreyappel.nl/tag-domain-controllers-automatically-in-defender-for-endpoint-using-kql-logic-app-and-api/)

- [Too much noise in your data? Summarize it!](http://learnsentinel.blog/2022/02/09/summarize-your-data/)

- [What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD](https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/)

- [When does enabling Microsoft Sentinel make sense?](https://practical365.com/when-does-enabling-microsoft-sentinel-make-sense/)

### Community Tools and Websites

[Back To Top](#Table-Of-Contents)

- [Azure Cloud & AI Domain Blog](https://azurecloudai.blog/)

- [Cloud, Systems Management, Automation](https://www.cloudsma.com/)

- [FalconForce](https://www.falconforce.nl/en/blog/)

- [Jeffrey Appel](https://jeffreyappel.nl/)

- [Kusto King - Kusto Knight Learning Track](https://www.kustoking.com/kusto-knight/)

- [Learn Sentinel](https://learnsentinel.blog/blog/)

- [Managed Sentinel - Blog](https://www.managedsentinel.com/blog/)

- [Microsoft Sentinel this Week](https://www.getrevue.co/profile/AzureSentinelToday)

- [Sam's Corner](https://samilamppu.com/)

- [SecureCloudBlog](https://securecloud.blog/)

### Community Repositories

[Back To Top](#Table-Of-Contents)

- [alexverboon/MDATP/tree/master/AdvancedHunting (Advanced Hunting)](https://github.com/alexverboon/MDATP/tree/master/AdvancedHunting)

- [ashwin-patil/blue-teaming-with-kql](https://github.com/ashwin-patil/blue-teaming-with-kql)

- [eshlomo1/Azure-Sentinel-4-SecOps](https://github.com/eshlomo1/Azure-Sentinel-4-SecOps)

- [FalconForceTeam/FalconFriday](https://github.com/FalconForceTeam/FalconFriday)

- [Kaidja/Azure-Sentinel](https://github.com/Kaidja/Azure-Sentinel)

- [marcusbakker/KQL](https://github.com/marcusbakker/KQL)

- [reprise99/Sentinel-Queries](https://github.com/reprise99/Sentinel-Queries)

- [rod-trent/SentinelKQL](https://github.com/rod-trent/SentinelKQL)

- [scautomation/Azure-Sentinel-Syslog-Workbook](https://github.com/scautomation/Azure-Sentinel-Syslog-Workbook)

- [wortell/KQL](https://github.com/wortell/KQL)

### Community Forums

[Back To Top](#Table-Of-Contents)

- [Reddit - Azure Sentinel](https://www.reddit.com/r/azuresentinel)

- [Reddit - Azure](https://reddit.com/r/AZURE)

- [Stack Overflow - KQL](https://stackoverflow.com/questions/tagged/kql)

### Twitter

[Back To Top](#Table-Of-Contents)

- [Alex Verboon](https://twitter.com/alexverboon)

- [Billy York](https://twitter.com/SCAutomation)

- [DebugPrivilege](https://twitter.com/DebugPrivilege)

- [Elli (IR)](https://twitter.com/misconfig)

- [FalconForce Official](https://twitter.com/falconforceteam)

- [Gianni](https://twitter.com/castello_johnny)

- [Jan Geisbauer](https://twitter.com/JanGeisbauer)

- [Jeffrey Appel](https://twitter.com/JeffreyAppel7)

- [Kaido Järvemets](https://twitter.com/kaidja)

- [Matt Zorich](https://twitter.com/reprise_99)

- [Rod Trent](https://twitter.com/rodtrent)

- [Sami Lamppu](https://twitter.com/samilamppu)