Microsoft-365-Defender-Hunting-Queries VS Azure-Sentinel

There are few smart screen reports under “Protection Events” folder. All this is already in the Security Center portal but you can find some better description here https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

This github repo has a variety of hunting rules: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

I always find myself going back to my colleague Michael's Tracking the Adversary 4 part webcast where it takes you from 100 to 400 level in the context of threat hunting: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Webcasts/TrackingTheAdversary

I use a KQL query from https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries. Look in the Discovery section and try the DetectTorRelayConnectivity query. I've then created a custom detection rule to pick up instances of the alert.

Azure-Sentinel/Playbooks/CreateIncident-SharedMailbox at master · Azure/Azure-Sentinel · GitHub

They recently reorganized the GitHub: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/LogSourcesAndAnalyticRulesCoverage.json

Have you checkout out the azure playbook templates? https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks

The best option I could find so far is inferring the format by reading the source code at https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/AzureFirewall/AzureFirewallNetworkRule.kql.

There is a ton on Github. Have a look here -> https://github.com/Azure/Azure-Sentinel/wiki

Also see the Sentinel repository on GitHub for a ton of queries to reference: https://github.com/Azure/Azure-Sentinel

All the json files are stored in MS Sentinels github repo: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks. You do not need to export them yourself. You can copy the raw json file from the repository.

here you can find various other types: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers