Azure-Sentinel
Cloud-native SIEM for intelligent security analytics for your entire enterprise. (by Azure)
security_content
Splunk Security Content (by splunk)
Our great sponsors
| Azure-Sentinel | security_content | |
|---|---|---|
| 37 | 20 | |
| 4,259 | 1,132 | |
| 3.6% | 2.5% | |
| 10.0 | 9.9 | |
| 6 days ago | 3 days ago | |
| Jupyter Notebook | Python | |
| MIT License | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Azure-Sentinel
Posts with mentions or reviews of Azure-Sentinel.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-05-02.
- Playbook/Guide for responding to specific incident
-
Create Sentinel Incident through MS Forms and Automate?
Azure-Sentinel/Playbooks/CreateIncident-SharedMailbox at master · Azure/Azure-Sentinel · GitHub
-
Correlate what tables/logs/connectors are being used by active analytics (detection's)
They recently reorganized the GitHub: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/LogSourcesAndAnalyticRulesCoverage.json
-
Threat Hunting
Have you checkout out the azure playbook templates? https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks
-
Message patterns for AzureFirewallNetworkRule log category
The best option I could find so far is inferring the format by reading the source code at https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/AzureFirewall/AzureFirewallNetworkRule.kql.
-
What are some good custom detection rules for Sentinel?
There is a ton on Github. Have a look here -> https://github.com/Azure/Azure-Sentinel/wiki
-
Alert rules for Active Directory domain controllers hosted in Azure
Also see the Sentinel repository on GitHub for a ton of queries to reference: https://github.com/Azure/Azure-Sentinel
-
Playbooks
All the json files are stored in MS Sentinels github repo: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks. You do not need to export them yourself. You can copy the raw json file from the repository.
- Use Case automation
-
Converting syslog to CEF format for Sentinel ingestion
here you can find various other types: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers
security_content
Posts with mentions or reviews of security_content.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-12-10.
-
SIEM content development
There's a ton of valuable resources out there when searching for "detection engineering", beyond that, check https://research.splunk.com/ to get an idea of a structured and contextual approach. Beyond that, check Rob van Os Magma use case framework and any blog you can find on https://correlatedsecurity.com (Jurgen Visser). Last but not least, anything "awesome" on github, e.g. https://github.com/fabacab/awesome-cybersecurity-blueteam
-
Azure data sources
Some additional reading: - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2020/07/Azure-Sentinel-whitepaper.pdf - here it from the vendor; solid read as correct log sourcing/scoping is SIEM-vendor agnostic; also check the Sentinel KQL github for inspiration - https://research.splunk.com/ - your new browser startpage - check for Azure/MS/M365 rekated content
-
Okta Data in Splunk( Reports, Alerts and Dashboards)
Indeed, as well as the Okta analytic stories/detections at research.splunk.com. In fact, three new ones published yesterday where Okta and Splunk collaborated on detections.
-
Crowdstrike FDR logs to Splunk vs Splunk UF collecting logs from windows member server
Our end goal is to achieve maxium coverage against MITRE mapping. Our mapping is pretty low and the management want to achieve this in a cost effective manner. Our analysts are more comfortable with creating alerts and dashboards using standard wineventlogs. When we talk about FDR, they are like "Rabitt in the headlights". We are planning to achieve by end of 2023. https://github.com/splunk/security_content/blob/develop/docs/mitre-map/coverage.png (highlighted in blue). Some of the coverage comes native with EDR and NDR. We have a different map of that one (esp proactive one).
-
threat hunting DLL search order hijacking
So you want to see if the files in this list are not running out of System32 or SysWOW64.
-
frustrated with lack of “entry level” security roles
Build a home lab. Phase 1: Get a good server to run VM's on. Use Proxmox as the hypervisor. Get a managed network switch (used ones on eBay are fine). Setup a span port or get a physical network TAP. Install Zeek and capture all the traffic in and out of your house. Look at the logs. Understand them. Use the free version of Suricata IDS. Examine the logs, understand them. Phase 2: Install Splunk (it has a free version). Push all the Zeek/Suricata logs to Splunk with the universal forwarder. Learn how to use Splunk. Learn the query language. Download APPs, analyze data, build dashboards, setup alerts (https://research.splunk.com/). Phase 3: Setup Honeypots, trigger them to learn how they work. Phase 4: Install Windows and Linux desktops and servers. Use the Splunk universal forwarder to dump all the logs into Splunk. Learn the logs, understand them!
-
Learning splunk step by step
Research Lantern
-
Has Splunk provided any Maggie Malware fix or how to detect it ?
Checkout https://research.splunk.com for stuff like this. Just be careful regarding naming, you will more likely find accurate detections searching by the CVE number.
-
Best Way to Learn Query Writing?
We have over 1,000 queries (which we refer to as detections) in our publicly-available GitHub Repository in the following folder: https://github.com/splunk/security_content/tree/develop/detections
-
Splunk Hyper Queries & other SPL nuggets for Security Teams
As for detection libraries, I find lots of people don't know about https://research.splunk.com/
What are some alternatives?
When comparing Azure-Sentinel and security_content you can also consider the following projects:
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
Microsoft-365-Defender-Hunting-Queries - Sample queries for Advanced hunting in Microsoft 365 Defender
sigma - Main Sigma Rule Repository
hid-examples - Examples to accompany the book "Haskell in Depth"
remote-splunk-search - Search over a remote Splunk server
CyberThreatHunting - A collection of resources for Threat Hunters - Sponsored by Falcon Guard
nvim-splunk-linter - Simple linter for search queries
cybersecurity-resources - Resources for learning about cybersecurity and CTFs
PyNite - A 3D structural engineering finite element library for Python.
azure-docs - Open source documentation of Microsoft Azure
detection-rules - Rules for Elastic Security's detection engine
Azure-Sentinel vs Wazuh
security_content vs atomic-red-team
Azure-Sentinel vs Microsoft-365-Defender-Hunting-Queries
security_content vs sigma
Azure-Sentinel vs hid-examples
security_content vs remote-splunk-search
Azure-Sentinel vs CyberThreatHunting
security_content vs nvim-splunk-linter
Azure-Sentinel vs cybersecurity-resources
security_content vs PyNite
Azure-Sentinel vs azure-docs
security_content vs detection-rules