Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/reprise99/awesome-kql-sentinel

A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel
https://github.com/reprise99/awesome-kql-sentinel

List: awesome-kql-sentinel

Last synced: about 1 month ago
JSON representation

A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel

Awesome Lists containing this project

README

        

# awesome-kql-sentinel

A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel

> Community contributions are most welcome! Check out our [contribution guide](./CONTRIBUTING.md) today and submit a **pull request** with any adds/removes/changes to content!

## Table Of Contents

- [Official](#Official)
- [Learn](#Official-Learn)
- [Docs](#Official-Docs)
- [Videos](#Official-Videos)
- [Books](#Official-Books)
- [Announcements and Articles](#Official-Announcements-and-Articles)
- [Repositories and Tools](#Official-Repositories-and-Tools)
- [Forums and Websites](#Official-Forums-and-Websites)
- [Community](#Community)
- [Videos](#Community-Videos)
- [Podcasts](#Community-Podcasts)
- [Books](#Community-Books)
- [Articles](#Community-Articles)
- [Tools and Websites](#Community-Tools-and-Websites)
- [Repositories](#Community-Repositories)
- [Forums](#Community-Forums)
- [Twitter Resources](#twitter)

### Official Learn

[Back To Top](#Table-Of-Contents)

- [Addicted to KQL](https://github.com/rod-trent/AddictedtoKQL)
- [KQL - The Next Query Language You Need to Learn](https://docs.microsoft.com/en-us/shows/data-exposed/kql-the-next-query-language-you-need-to-learn)
- [Learning path SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)](https://docs.microsoft.com/en-us/learn/paths/sc-200-utilize-kql-for-azure-sentinel/)
- [MustLearnKQL - Video Series](https://www.youtube.com/watch?v=rcy2uSMLyqo&list=PLD7rlIrZEkLgiRbIs_5JXIxzu-5tpoDbd)
- [MustLearnKQL](https://github.com/rod-trent/MustLearnKQL)
- [Tutorial: Use Kusto queries](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor)
- [Write your first query with Kusto Query Language](https://docs.microsoft.com/en-us/learn/modules/write-first-query-kusto-query-language/)

### Official Docs

[Back To Top](#Table-Of-Contents)

- [Built-in threat detection rules](https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-built-in)
- [KQL quick reference](https://docs.microsoft.com/en-us/azure/data-explorer/kql-quick-reference)
- [Kusto Query Language in Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/kusto-overview)
- [Microsoft Sentinel Docs](https://docs.microsoft.com/en-us/azure/sentinel/)
- [Query best practices](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices)
- [Splunk to Kusto Query Language map](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/splunk-cheat-sheet)
- [SQL to Kusto cheat sheet](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet)
- [What's new in Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/whats-new)

### Official Videos

[Back To Top](#Table-Of-Contents)

- [Automate Your Microsoft Sentinel Triage Efforts with RiskIQ Threat Intelligence](https://www.youtube.com/watch?v=8vTVKitim5c)
- [Azure Sentinel Webinar: Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content](https://youtu.be/zaqblyjQW6k)
- [Azure Sentinel webinar: KQL part 1 of 3 - Learn the KQL you need for Azure Sentinel](https://youtu.be/EDCBLULjtCM)
- [Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises](https://youtu.be/YKD_OFLMpf8)
- [Azure Sentinel webinar: KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance](https://youtu.be/jN1Cz0JcLYU)
- [Azure Sentinel Webinar: The Information Model: Understanding Normalization in Azure Sentinel](https://youtu.be/WoGD-JeC7ng)
- [Become a Notebooks Ninja – Getting Started with Jupyter Notebooks - Microsoft Sentinel Webinar](https://youtu.be/JLOhfoovASE)
- [Deploy and Monitor Azure Key Vault Honeytokens with Microsoft Sentinel](https://youtu.be/LZoj0fqcfQY)
- [Fusion ML Detections for Emerging Threats & Configuration UI](https://youtu.be/bTDp41yMGdk)
- [KQL Framework for Microsoft Sentinel - Empowering You to Become KQL-Savvy](https://youtu.be/j7BQvJ-Qx_k)
- [Latest Innovations for Microsoft's Cloud Native SIEM Recording - Microsoft Sentinel Webinar](https://youtu.be/kGctnb4ddAE)
- [M365 Defender - Kusto query language basics](https://www.microsoft.com/videoplayer/embed/RWRwfJ)
- [M365 Defender - Using Advanced Hunting](https://www.microsoft.com/videoplayer/embed/RE4G6DO)
- [Microsoft Security Insights Podcast - Twitch](https://www.twitch.tv/microsoftsecurityinsights)
- [Microsoft Sentinel Content Management](https://youtu.be/3iF__S-_v7A)
- [Microsoft Sentinel in the Field: Part 1 - Managing security content as code](https://www.youtube.com/watch?v=vqLqJhaFNBk)
- [Microsoft Sentinel in the Field: Part 2 - Learning with the training lab](https://www.youtube.com/watch?v=cAJEiPqocK4)
- [Microsoft Sentinel in the Field: Part 3 - Deception in Microsoft Sentinel](https://www.youtube.com/watch?v=3mWHcIfa60o)
- [Present and Future of EUBA](https://www.youtube.com/watch?v=dLVAkSLKLyQ)

### Official Books

[Back To Top](#Table-Of-Contents)

- [Azure Sentinel Technical Playbook for MSSPs](https://aka.ms/azsentinelmssp)

### Official Announcements and Articles

[Back To Top](#Table-Of-Contents)

- [Advanced KQL Framework Workbook - Empowering you to become KQL-savvy](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/advanced-kql-framework-workbook-empowering-you-to-become-kql/ba-p/3033766)
- [Defending Critical Infrastructure with the Microsoft Sentinel: IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)
- [Get Hands-On KQL Practice with this Microsoft Sentinel Workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/get-hands-on-kql-practice-with-this-microsoft-sentinel-workbook/ba-p/3055600)
- [How To Align Your Analytics With Time Windows In Azure Sentinel Using KQL (Kusto Query Language)](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-align-your-analytics-with-time-windows-in-azure-sentinel/ba-p/1667574)
- [Investigating Suspicious Azure Activity with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/investigating-suspicious-azure-activity-with-microsoft-sentinel/ba-p/2985699)
- [Learning with the Microsoft Sentinel Training Lab](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403)
- [Leveraging the Power of KQL in Incident Response](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/leveraging-the-power-of-kql-in-incident-response/ba-p/3044795)
- [Log sources and analytics rules coverage workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/log-sources-and-analytics-rules-coverage-workbook-see-how-your/ba-p/3124444)
- [Microsoft Sentinel – continuous threat monitoring for GitHub](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-continuous-threat-monitoring-for-github/ba-p/3037154)
- [Using External Data Sources To Enrich Network Logs Using Azure Storage And KQL](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-external-data-sources-to-enrich-network-logs-using-azure/ba-p/1450345)

### Official Repositories and Tools

[Back To Top](#Table-Of-Contents)

- [azure/azure-sentinel](https://github.com/Azure/Azure-Sentinel)
- [Kusto Explorer](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer)
- [Log Analytics demo environment](https://ms.portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade)
- [microsoft/Kusto-Query-Language](https://github.com/microsoft/Kusto-Query-Language)

### Official Forums and Websites
[Back To Top](#Table-Of-Contents)

- [Microsoft Security Community - Youtube](https://www.youtube.com/c/MicrosoftSecurityCommunity)
- [Microsoft Security Insights - Podcast](https://open.spotify.com/show/5GnrHASof2GBIV3h53wnUK)
- [Microsoft Sentinel Blog](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog)
- [Microsoft Sentinel TechCommunity](https://techcommunity.microsoft.com/t5/microsoft-sentinel/bd-p/MicrosoftSentinel)

## Community

> Links below are from community sources, websites, and channels.

### Community Videos

[Back To Top](#Table-Of-Contents)

- [Azure Sentinel Lab Series](https://www.youtube.com/playlist?list=PLM3TOIlrnaI6B9ikTWz8A0FY812ZqBO3_)
- [AzureFunBytes Episode 64 - Building SOC Efficiency with @Azure Sentinel with @rodtrent](https://youtu.be/wuqCjUmOFV0)
- [GrayHat 2020 - Blue Teaming with Kusto Query Language, KQL - Ashwin Patil](https://www.youtube.com/watch?v=IMZkqTEBFeA)
- [Managing Microsoft Sentinel using GIT repositories](https://youtu.be/A-rL3JIwEQ4)
- [Setting up your first Azure Sentinel environment in 50 minutes](https://www.youtube.com/watch?v=29T8sWQPOxQ)
- [Using Azure Sentinel to protect Microsoft Teams](https://www.youtube.com/watch?v=5fRmfUVMEPY)

### Community Podcasts

[Back To Top](#Table-Of-Contents)

- [KQL | Cafe](https://kqlcafe.github.io/website/)

### Community Books

[Back To Top](#Table-Of-Contents)

- [Microsoft 365 Security eBook](https://m365securitybook.com/)
- [Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide](https://www.amazon.com/Microsoft-Security-Operations-Analyst-Certification-ebook/dp/B09R4SC4S5/ref=sr_1_1?crid=2OASBP4AR09EE&keywords=Microsoft+Security+Operations+Analyst+Exam+Ref+SC-200&qid=1644445540&s=digital-text&sprefix=microsoft+security+operations+analyst+exam+ref+sc-200%2Cdigital-text%2C301&sr=1-1)
- [Microsoft Sentinel in Action](https://www.amazon.com/Microsoft-Sentinel-Action-Architect-implement-dp-1801815534/dp/1801815534/ref=dp_ob_title_bk)

### Community Articles

[Back To Top](#Table-Of-Contents)

- [Azure Sentinel Syslog Workbook](https://www.cloudsma.com/2020/05/azure-sentinel-syslog-workbook/)
- [Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR](https://jeffreyappel.nl/collect-security-events-in-sentinel-with-the-new-ama-agent-and-dcr/)
- [Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel](https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/)
- [How to Use Office 365 Audit Data with Microsoft Sentinel](https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/)
- [Hunting For Anomalies With Time-Series Analysis](https://m365internals.com/2021/02/16/hunting-for-anomalies-with-time-series/)
- [Hunting Log4j with Sentinel](https://www.eshlomo.us/hunting-log4j-with-sentinel/)
- [Keep an eye on your Azure AD guests with Microsoft Sentinel](https://learnsentinel.blog/2021/11/04/keep-an-eye-on-your-azure-ad-guests-with-microsoft-sentinel)
- [KQL Cheat Sheet](https://www.mbsecure.nl/blog/2019/12/kql-cheat-sheet)
- [KQLCeption – use KQL to investigate Microsoft Sentinel](https://learnsentinel.blog/2022/01/24/kqlception/)
- [Kusto Make-Series vs Summarize](https://www.cloudsma.com/2021/04/kusto-make-series-vs-summarize/)
- [Log4j Incident Response](https://www.eshlomo.us/log4j-incident-response/)
- [Microsoft Sentinel – How to Leverage built-in Amazon Web Services S3 Data Connector](https://samilamppu.com/2022/01/17/microsoft-sentinel-how-to-leverage-built-in-amazon-web-services-s3-data-connector/)
- [Microsoft Sentinel and the power of functions](https://learnsentinel.blog/2021/12/16/microsoft-sentinel-and-the-power-of-functions/)
- [Monitor Microsoft Sentinel Data Connectors using Health Monitoring and Logic App](https://jeffreyappel.nl/monitor-microsoft-sentinel-data-connectors-using-health-monitoring-and-logic-app/)
- [Monitoring of GitHub Enterprise with Microsoft Sentinel](https://www.cloud-architekt.net/github-enterprise-monitoring-sentinel/)
- [Ollie, your personal Microsoft Sentinel assistant](https://thecollective.eu/blog/ollie-your-personal-microsoft-sentinel-assistant/)
- [Optimize your Microsoft Sentinel pricing](https://medium.com/wortell/optimize-microsoft-sentinel-pricing-ca9901840b75)
- [Set up Microsoft Sentinel as a single pane of glass for Microsoft 365 alerts](https://practical365.com/set-up-microsoft-sentinel-as-a-single-pane-of-glass-for-microsoft-365-alerts/)
- [Setting up a bidirectional sync between Sentinel and JIRA](https://thecollective.eu/news/setting-up-a-bidirectional-sync-between-sentinel-and-jira/)
- [Tag domain controllers automatically in Defender for Endpoint using KQL, Logic App, and API](https://jeffreyappel.nl/tag-domain-controllers-automatically-in-defender-for-endpoint-using-kql-logic-app-and-api/)
- [Too much noise in your data? Summarize it!](http://learnsentinel.blog/2022/02/09/summarize-your-data/)
- [What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD](https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/)
- [When does enabling Microsoft Sentinel make sense?](https://practical365.com/when-does-enabling-microsoft-sentinel-make-sense/)

### Community Tools and Websites

[Back To Top](#Table-Of-Contents)

- [Azure Cloud & AI Domain Blog](https://azurecloudai.blog/)
- [Cloud, Systems Management, Automation](https://www.cloudsma.com/)
- [FalconForce](https://www.falconforce.nl/en/blog/)
- [Jeffrey Appel](https://jeffreyappel.nl/)
- [Kusto King - Kusto Knight Learning Track](https://www.kustoking.com/kusto-knight/)
- [Learn Sentinel](https://learnsentinel.blog/blog/)
- [Managed Sentinel - Blog](https://www.managedsentinel.com/blog/)
- [Microsoft Sentinel this Week](https://www.getrevue.co/profile/AzureSentinelToday)
- [Sam's Corner](https://samilamppu.com/)
- [SecureCloudBlog](https://securecloud.blog/)

### Community Repositories

[Back To Top](#Table-Of-Contents)

- [alexverboon/MDATP/tree/master/AdvancedHunting (Advanced Hunting)](https://github.com/alexverboon/MDATP/tree/master/AdvancedHunting)
- [ashwin-patil/blue-teaming-with-kql](https://github.com/ashwin-patil/blue-teaming-with-kql)
- [eshlomo1/Azure-Sentinel-4-SecOps](https://github.com/eshlomo1/Azure-Sentinel-4-SecOps)
- [FalconForceTeam/FalconFriday](https://github.com/FalconForceTeam/FalconFriday)
- [Kaidja/Azure-Sentinel](https://github.com/Kaidja/Azure-Sentinel)
- [marcusbakker/KQL](https://github.com/marcusbakker/KQL)
- [reprise99/Sentinel-Queries](https://github.com/reprise99/Sentinel-Queries)
- [rod-trent/SentinelKQL](https://github.com/rod-trent/SentinelKQL)
- [scautomation/Azure-Sentinel-Syslog-Workbook](https://github.com/scautomation/Azure-Sentinel-Syslog-Workbook)
- [wortell/KQL](https://github.com/wortell/KQL)

### Community Forums

[Back To Top](#Table-Of-Contents)

- [Reddit - Azure Sentinel](https://www.reddit.com/r/azuresentinel)
- [Reddit - Azure](https://reddit.com/r/AZURE)
- [Stack Overflow - KQL](https://stackoverflow.com/questions/tagged/kql)

### Twitter

[Back To Top](#Table-Of-Contents)

- [Alex Verboon](https://twitter.com/alexverboon)
- [Billy York](https://twitter.com/SCAutomation)
- [DebugPrivilege](https://twitter.com/DebugPrivilege)
- [Elli (IR)](https://twitter.com/misconfig)
- [FalconForce Official](https://twitter.com/falconforceteam)
- [Gianni](https://twitter.com/castello_johnny)
- [Jan Geisbauer](https://twitter.com/JanGeisbauer)
- [Jeffrey Appel](https://twitter.com/JeffreyAppel7)
- [Kaido Järvemets](https://twitter.com/kaidja)
- [Matt Zorich](https://twitter.com/reprise_99)
- [Rod Trent](https://twitter.com/rodtrent)
- [Sami Lamppu](https://twitter.com/samilamppu)