Azure-Sentinel
azure-docs
Our great sponsors
Azure-Sentinel | azure-docs | |
---|---|---|
37 | 89 | |
4,284 | 9,947 | |
4.2% | 1.5% | |
10.0 | 10.0 | |
1 day ago | 5 days ago | |
Jupyter Notebook | Markdown | |
MIT License | Creative Commons Attribution 4.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Azure-Sentinel
- Playbook/Guide for responding to specific incident
-
Create Sentinel Incident through MS Forms and Automate?
Azure-Sentinel/Playbooks/CreateIncident-SharedMailbox at master · Azure/Azure-Sentinel · GitHub
-
Correlate what tables/logs/connectors are being used by active analytics (detection's)
They recently reorganized the GitHub: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/LogSourcesAndAnalyticRulesCoverage.json
-
Threat Hunting
Have you checkout out the azure playbook templates? https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks
-
Message patterns for AzureFirewallNetworkRule log category
The best option I could find so far is inferring the format by reading the source code at https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/AzureFirewall/AzureFirewallNetworkRule.kql.
-
What are some good custom detection rules for Sentinel?
There is a ton on Github. Have a look here -> https://github.com/Azure/Azure-Sentinel/wiki
-
Alert rules for Active Directory domain controllers hosted in Azure
Also see the Sentinel repository on GitHub for a ton of queries to reference: https://github.com/Azure/Azure-Sentinel
-
Playbooks
All the json files are stored in MS Sentinels github repo: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks. You do not need to export them yourself. You can copy the raw json file from the repository.
- Use Case automation
-
Converting syslog to CEF format for Sentinel ingestion
here you can find various other types: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers
azure-docs
-
Bare metal restore with MABS: best practices for home lab?
Explained here: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/backup-azure-alternate-dpm-server.md
- Microsoft Account's OAuth tokens leaking via open redirect in Harvest
- Azure Function app has no function after zip deployment
-
Runbook only runs for 3 hours then throws: The process cannot access the file Microsoft.ApplicationInsights.dll' because it is being used by another process.
Official doc on runbook limitations: https://github.com/MicrosoftDocs/azure-docs/blob/main/includes/azure-automation-service-limits.md
-
GitHub repository disabled at 22M commits
I dont think that works:
> git clone --depth 1 https://github.com/MicrosoftDocs/azure-docs
-
Azure monitoring agent with specialized VMs doesn't work
Does anyone have any idea why this is? I found a github issue that basically describes the issue as well but there is no satisfying solution. Can you really not use native azure monitoring solutions if you migrate your VMs to azure? That seems hard to believe and I hope I'm just missing something. I'm very thankful for any advice at this point.
-
Data Factory Webhook activity not invoking API
It appears that there is a 512kb payload limit with runbook webhooks, which I can only find mention of on this git file:https://github.com/MicrosoftDocs/azure-docs/blob/main/includes/azure-automation-service-limits.mdThe data I was including in the web activity body appears to be just under this limit and would trigger the runbook without issue. But with the extra data webhook activities include in the body it puts it over the limit and never triggers it. Unfortunately Data Factory doesn't handle this situation properly and the activity runs indefinitely until you cancel it (despite the timeout configured).The work around for me was to add a foreach activity and put the webhook activity inside of that.
- Azure AKS - Specify VMSS Network Details
- Group Expiration Enabled - All owners were immediately notified
- Max Number of BGP Peers Azure vWAN
What are some alternatives?
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
httpbin - HTTP Request & Response Service, written in Python + Flask.
Microsoft-365-Defender-Hunting-Queries - Sample queries for Advanced hunting in Microsoft 365 Defender
twitter-lite - A tiny, full-featured, flexible client / server library for the Twitter API
hid-examples - Examples to accompany the book "Haskell in Depth"
cryptogalaxy - Get any cryptocurrencies ticker and trade data in real time from multiple exchanges and then save it in multiple storage systems.
CyberThreatHunting - A collection of resources for Threat Hunters - Sponsored by Falcon Guard
twurl - OAuth-enabled curl for the Twitter API
cybersecurity-resources - Resources for learning about cybersecurity and CTFs
pam_aad - Azure Active Directory PAM Module
h4cker - This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), artificial intelligence security, vulnerability research, exploit development, reverse engineering, and more.
samples - Azure AD B2C custom policy solutions and samples.