Skip to content
Preeti Krishna edited this page Mar 7, 2022 · 39 revisions

Welcome Threat Hunters!

Join in the Microsoft SIEM & XDR Community!

What is the Microsoft SIEM and XDR Community?

This is a unified community for Microsoft SIEM, SOAR and XDR products. This community integrates the Microsoft Sentinel and Microsoft 365 Defender products. Learn more about the Microsoft SIEM and XDR threat protection story.

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Microsoft Sentinel provides a platform for different data sources to come together. Different types of contributions like hunting, detection and investigation queries, automated workflows, visualizations, and much more can be built to use one or many of these data sources. These contributions enable relevant security insights for automated hunting, alerting, incident tracking, investigations and response experiences in Microsoft Sentinel.

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. Hunting queries can be built to provide value to Microsoft 365 Defender advanced hunting scenarios and can be used for custom detections as well.

Microsoft SIEM and XDR Community provides a forum for the community members, aka, Threat Hunters, to join in and submit these contributions via GitHub Pull Requests or contribution ideas as GitHub Issues. Hunting queries for Microsoft 365 Defender will provide value to both Microsoft 365 Defender and Microsoft Sentinel products, hence a multiple impact for a single contribution. These contributions can be just based on your idea of the value to enterprise your contribution provides or can be from the GitHub open issues list or even enhancements to existing contributions. Refer to the Get Started section to flow in your submissions and earn points and cool badges!

Why unified community?

Contributing a Microsoft 365 Defender hunting query or a Microsoft Sentinel hunting query for Microsoft 365 Defender benefits both the products. Hence you can get more value out of your contributions with this unified community! If you are a member of both communities, it now easier to contribute to a centralized place.

Threat Hunters Leaderboard

The Threat Hunters leaderboard is to recognize you for all your valuable contributions to this GitHub repository! Check out the leaderboard for the current top 20 Threat Hunters.

To move up the ranks, submit contributions in any of our categories or file GitHub issues and your score will update once the Pull Request is approved for contributions!


In addition to the leaderboard points, we have badges that you can level up to. There are three types of badges: Checkpoint badges, Achiever badges and Exclusive badges.

  • The Checkpoint badges recognize the number of contributions made
  • The Achiever badges are awarded as you progress and explore different contribution areas in Microsoft Sentinel and Microsoft 365 Defender. The list of Achiever badges is as follows:
    • Baby Threat Hunter - Start by making a few contributions
    • Threat Hunter on a roll - Make multiple contributions in a short time span
    • Bug Hunter - Excel at Hunting query submissions
    • Renaissance coder - Excel at all the contribution areas in Microsoft Sentinel
    • Teach Yoda - Submit good suggestions on how we can improve Microsoft Sentinel and Microsoft 365 Defender
    • Soaring in the Cloud - Microsoft Sentinel data connector master
  • The Exclusive badges come out spontaneously and are available for a limited time - Keep an eye out for special Exclusive badges!

Get started now

You can contribute any of the following to enhance Microsoft Sentinel and Microsoft 365 Defender end-to-end customer experiences. Mash up multiple Microsoft Sentinel data sources for enriched experiences.

What can you contribute and how can you create contributions?

The table in this section outlines the following information for each contribution type to get started.

  • Value the specific contribution provides in Microsoft Sentinel and / or Microsoft 365 Defender
  • Link to relevant product feature documentation that details the experience the contribution will enable
  • Link to contribution guidance to help get you started on building out your contribution
  • Additional resources to assist you in developing and validating your contributions
Contribution Enables… Get Started Links Additional Resources
Solutions deliver product/domain/industry vertical value Product Documentation
Contribution Guidance
Partner Center
Azure Marketplace
Playbook setting up automated procedures while responding to threats Product Documentation
Contribution Guidance
Create Azure Logic Apps playbooks
Workbook data insights and monitoring with visualizations Product Documentation
Contribution Guidance
Create Azure Monitor Workbooks
Hunting quick start security threat hunting capabilities with queries SIEM Product Documentation
XDR Product Documentation
Contribution Guidance
Query style guide
Tips ‘n tricks
Kusto Query Language(KQL)
Notebook advanced hunting capabilities using Jupyter / Azure Notebooks Product Documentation
Contribution Guidance
Create Azure Notebooks
Jupyter Notebooks
Jupyter NbViewer
IPython guidance
Analytic Rule Template customized alert generation and automated incident creation with queries Product Documentation Contribution Guidance Query style guide
Tips ‘n tricks
Kusto Query Language(KQL)
Parsers customized parsers for data types Contribution Guidance Query style guide
Tips ‘n tricks
Kusto Query Language(KQL)
Investigation Graph full investigation scope discoverability with queries Product Documentation
Contribution Guidance
Query style guide
Tips ‘n tricks
Kusto Query Language(KQL)
Data Connectors collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds Product Documentation
Contribution Guidance
Common Event Format (CEF) based connections

Test your contribution

Functionally validate whether your contribution works by trying it out in Microsoft Sentinel. If it's a Microsoft 365 Defender hunting query, try out in both Microsoft Sentinel and Microsoft 365 Defender products. The respective product documentation linked above will provide information on how your contribution can be consumed in Azure Sentinel and Microsoft 365 Defender (as applies). Besides this, at the time of submitting your Pull Request, automatic GitHub validations using Azure Pipelines is enabled on this repository for basic syntactical checks of the contributions. Follow the test guidance to add any additional tests needed to validate specific scenarios for your contributions as needed.

Submit your contribution

After you have developed and tested your contribution works as expected, follow the general contribution guidelines to open a Pull Request to submit your contribution. We will review your submission prior to merging your PR within 7 days.


Questions or Feedback

We value your feedback. Here are some channels to help surface your questions or feedback:

  1. General product specific Q&A – Join in the Microsoft Sentinel Tech Community conversations and Microsoft 365 Defender Tech community conversations
  2. Product specific feature requests – Upvote or post new on Microsoft Sentinel user voice
  3. Product specific bugs - File a Microsoft Sentinel support ticket or Microsoft 365 Defender support ticket as applicable to the product.
  4. Report content you'd like to see in this repo or bugs for content in this repo / contribution bugs – File a GitHub Issue using Bug template
  5. General feedback on community, content and contribution process – File a GitHub Issue using Feature Request template

We can connect on these Social Media channels as well:

Unified SIEM-XDR channel

For Microsoft Sentinel (SIEM and SOAR)

For Microsoft 365 Defender (XDR)