Skip to content
The largest Sentinel detection use case library; built in AZSentinel JSON format for automated upload into Azure
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
AWSCloudTrail
AuditLogs
AzureActivity
AzureDiagnostics
CommonSecurityLog
DnsEvents
MultipleDataSources
OfficeActivity
SecurityEvent
SigninLogs
Syslog
Sysmon
ThreatIntelligenceIndicator
W3CIISLog
README.md

README.md

Maintenance GitHub last commit Total rules Twitter Follow

Sentinel analytics library

This repository aims to collect the largest number of Sentinel use cases for detection. All analytics are built in AZSentinel JSON format for automated upload into Azure.

This repository contains the following Sentinel analytics:

Folder Author(s) Documentation Number of rules
AuditLogs Microsoft LINK 1
AWSCloudTrail Microsoft LINK 7
AzureActivity Microsoft LINK 4
AzureDiagnostics Microsoft LINK 3
CommonSecurityLog Microsoft LINK 5
DNSEvents Microsoft LINK 4
MultipleDataSources Microsoft LINK 12
OfficeActivity Microsoft LINK 6
SecurityEvent Microsoft LINK 16
SigninLogs Microsoft LINK 8
Syslog Microsoft LINK 5
Sysmon Edoardo Gerosa and Olaf Hartong LINK 117
ThreatIntelligenceIndicator Microsoft LINK 25
W3CIISLog Microsoft LINK 4

Installation

The rules in each folder can be uploaded into your Sentinel instance in an automated manner using the AZSentinel PowerShell module, developed by the folks at Wortell Sec and the JSON file contained within each folder.

Instructions for the prerequisites needed to run AZSentinel can be found here.

Once AZSentinel is installed, the rules in this folder can be automatically imported with this command:

Import-AzSentinelAlertRule -WorkspaceName "{workspace_name}" -SettingsFile "folder_name/file_in_folder.json"

Disclaimer

The rules within this project are copied from different repositories (repository links are provided in the table above) and translated into AZSentinel JSON format without testing. Although the rules come from reputable authors there is a chance that issues within the KQL source code could emerge and break the automatic upload once AZSentinel is used. Feel free to open an issue in case you discover problems.

Contributing

Contributions are welcome - in particular if you have discovered a repository of KQL rules that you'd like translated into AZSentinel JSON format feel free to open an issue to request the rules be translated and added to this project.

You can’t perform that action at this time.