Microsoft-365-Defender-Hunting-Queries
Sentinel-Queries
Our great sponsors
Microsoft-365-Defender-Hunting-Queries | Sentinel-Queries | |
---|---|---|
14 | 17 | |
1,408 | 1,289 | |
- | - | |
9.0 | 7.4 | |
about 2 years ago | 25 days ago | |
Jupyter Notebook | ||
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Microsoft-365-Defender-Hunting-Queries
-
Smartscreen reports
There are few smart screen reports under “Protection Events” folder. All this is already in the Security Center portal but you can find some better description here https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
- Defender Advance Hunting
- Must have analytic rules
- New user question - Hunting cookbook?
- Advance Threat Hunting 101
-
How to monitor for ransomware attacks?
This github repo has a variety of hunting rules: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
-
The Kusto Query Language
I always find myself going back to my colleague Michael's Tracking the Adversary 4 part webcast where it takes you from 100 to 400 level in the context of threat hunting: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Webcasts/TrackingTheAdversary
- Joining FileEvents to Process events
-
Detecting/blocking malicious IPs
I use a KQL query from https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries. Look in the Discovery section and try the DetectTorRelayConnectivity query. I've then created a custom detection rule to pick up instances of the alert.
- Advanced Hunting Query for SAM DB Access
Sentinel-Queries
-
Custom Detections
Matt Zorich has a good list of detections for both M365D and Sentinel - https://github.com/reprise99/Sentinel-Queries
-
What were your "HOLY SH*T IT'S REALLY THAT SIMPLE?!" moments when working through issues and finding a solution? Share so that others may learn.
Here's a massive list of pre-built queries to get you started: GitHub - reprise99/Sentinel-Queries: Collection of KQL queries
- MS Sentinel Analytics & KQL
- Analytical rules
- Useful Collection of KQL queries
- BARK Detections: These KQL queries are designed to find use of the abuses in the BloodHound BARK toolkit in your Azure AD tenant. These queries are not designed to detect the use of BARK itself, just the behaviour that BARK simulates.
-
What are best best advanced hunting queries you use in 365 defender?
https://github.com/reprise99/Sentinel-Queries has a number
- Must have analytic rules
- Sentinel KQL Query: Create a pivot table showing all conditional access policy outcomes over the last 30 days
- Sentinel KQL Query: Summarize outbound (your users connecting to other tenants) activity by listing the users and which applications they are accessing in each remote tenant
What are some alternatives?
security-onion - Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
chatgpt-raycast - ChatGPT raycast extension
Azure-Sentinel - Cloud-native SIEM for intelligent security analytics for your entire enterprise.
Hunting-Queries-Detection-Rules - KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
h4cker - This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), artificial intelligence security, vulnerability research, exploit development, reverse engineering, and more.
awesome-kql-sentinel - A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel
HELK - The Hunting ELK
WindowsDefenderATP-Hunting-Queries - Sample queries for Advanced hunting in Microsoft Defender ATP
FalconFriday - Hunting queries and detections
hid-examples - Examples to accompany the book "Haskell in Depth"
fly-catcher - ✈️ A device that detects for aircraft spoofing by monitoring for malicious ADS-B signals in the 1090MHz frequency. Built using a Raspberry Pi 3B and a FlightAware SDR