ep3p/Sentinel_KQL
GitHub: ep3p/Sentinel_KQL
一个面向 Microsoft Sentinel 的 KQL 查询与 Watchlist 方案集合,并附带丰富的 Sentinel 生态资源导航。
Stars: 139 | Forks: 25
# 
在本仓库中,您可以找到与 Microsoft Sentinel(一款 SIEM 工具)数据源相关的 KQL(Kusto Query Language)查询和 Watchlist 方案。
您可以查看其他类似资源:
| GitHub |
| ---- |
| [reprise99/awesome-kql-sentinel](https://github.com/reprise99/awesome-kql-sentinel) (从这里开始)|
| [reprise99/Sentinel-Queries](https://github.com/reprise99/Sentinel-Queries) |
| [rod-trent/SentinelKQL](https://github.com/rod-trent/SentinelKQL) |
| [FalconForceTeam/FalconFriday](https://github.com/FalconForceTeam/FalconFriday) |
| [Cyb3r-Monk/Threat-Hunting-and-Detection](https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection) |
| [Bert-JanP/Hunting-Queries-Detection-Rules](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules) |
| [alexverboon/Azure-Threat-Research-Matrix-KQL](https://github.com/alexverboon/Azure-Threat-Research-Matrix-KQL) |
| [eshlomo1/Microsoft-Sentinel-4-SecOps](https://github.com/eshlomo1/Microsoft-Sentinel-4-SecOps) |
| [Kaidja/Azure-Sentinel](https://github.com/Kaidja/Azure-Sentinel) |
| [samilamppu/Sentinel-queries](https://github.com/samilamppu/Sentinel-queries) |
| [ashwin-patil/blue-teaming-with-kql](https://github.com/ashwin-patil/blue-teaming-with-kql) |
| [le0li9ht/Microsoft-Sentinel-Queries](https://github.com/le0li9ht/Microsoft-Sentinel-Queries) |
| [DanielChronlund/DCSecurityOperations](https://github.com/DanielChronlund/DCSecurityOperations) |
| [ugurkocde/KQL_Intune](https://github.com/ugurkocde/KQL_Intune)|
| ... |
## 其他链接:
| 标签 | 链接 |
| ---- | ---- |
| [KQL] | [Kusto Query Language (KQL) 快捷键](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer-shortcuts)
[Kusto Query Language (KQL) 正则表达式库](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/re2-library)
[KQL 查询聚合器](https://www.kqlsearch.com/)| | [数据源] | [sreedharande/IngestOffice365AuditLogs](https://github.com/sreedharande/IngestOffice365AuditLogs)
[techcommunity.microsoft.com Sentinel 中的外部数据源](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-external-data-sources-to-enrich-network-logs-using-azure/ba-p/1450345)
[威胁指示器 MISP](https://github.com/Cyberlorians/Articles/blob/main/MISPTISetup.md) | | [规则] | [Microsoft Sentinel 分析规则浏览器](https://analyticsrules.exchange/)
[garybushey.com 分析规则描述中的 Markdown](https://garybushey.com/2022/08/07/use-an-analytic-rules-description-for-remediation-steps/)
[medium.com/@tokesisr 缓解高摄入时间](https://medium.com/@tokesisr/ingestion-time-will-tell-df7845170e53) | | [Playbook] | [Azure Logic Apps 函数参考](https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference)
[事件响应 Playbook](https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks)
[adr.iaan.be 从 Logic App 查询 LogAnalytics](https://adr.iaan.be/blog/querying-log-analytics-from-logic-apps/)
[adr.iaan.be 转发目录活动日志用户访问管理员](https://adr.iaan.be/blog/adding-directory-activity-logs-to-microsoft-sentinel/)
[Accelerynt-Security/AS-IP-Blocklist Logic App IP 地址警报到条件访问](https://github.com/Accelerynt-Security/AS-IP-Blocklist)
[Accelerynt-Security/AS-Teams-Integration Logic App 到 Teams 频道](https://github.com/Accelerynt-Security/AS-Teams-Integration)
[Accelerynt-Security/AS-Domain-Watchlist Logic App 警报实体到 Watchlist](https://github.com/Accelerynt-Security/AS-Domain-Watchlist)
[briandelmsft/SentinelAutomationModules 分类事件](https://github.com/briandelmsft/SentinelAutomationModules)
[PeterKlapwijk/Microsoft-Logic-Apps](https://github.com/PeterKlapwijk/Microsoft-Logic-Apps/tree/main/Revoke%20user%20access%20in%20case%20of%20an%20emergency)| | [Notebook] | [microsoft/msticpy](https://github.com/microsoft/msticpy)
[garybushey.com Sentinel 中的机器学习](https://garybushey.com/2022/10/09/bring-your-own-machine-learning-in-microsoft-sentinel/) | | [UEBA] | [https://github.com/oshezaf/Sentinel-Custom-Analytics](https://github.com/oshezaf/Sentinel-Custom-Analytics)
[cloudbrothers.info Microsoft Sentinel 中的 UEBA](https://cloudbrothers.info/en/microsoft-sentinel-ueba/)| | [Entra ID] | [Azure AD 审核活动参考](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities)
[Azure AD 安全操作指南](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction)
[Microsoft SignInLogs 错误代码 (ResultType)](https://login.microsoftonline.com/error)
[acalarch/azure-signinlog-results](https://github.com/acalarch/azure-signinlog-results/blob/main/signinlog-results.txt)
[merill.net Microsoft Graph 权限浏览器](https://graphpermissions.merill.net/index.html) (如果在 URI 路径中写入旧权限,可能会显示旧权限)
[msandbu/azuread Azure AD 生态系统图](https://github.com/msandbu/azuread/blob/main/AzureAD%20Big%20picture.jpg) | | [Defender for Cloud] | [Defender for Cloud 警报](https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference)
[Defender for Cloud 建议](https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference)
[Defender for Cloud 实验室](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Labs)| | [Defender for Endpoint] | [Defender for Endpoint 排除项](https://cloudbrothers.info/en/guide-to-defender-exclusions/)
[Defender for Endpoint 性能分析器](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus)
[推文 @SwiftOnSecurity Defender for Endpoint 性能分析器](https://twitter.com/SwiftOnSecurity/status/1575625955766194176)| | [Defender for Identity] | [Defender for Identity 警报](https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview)
[jeffreyappel.nl Defender for Identity 配置](https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/)| | [博客] | [garybushey.com 博客 Gary Bushey](https://garybushey.com/)
[azurecloudai.blog 博客 Microsoft](https://azurecloudai.blog/)
[techcommunity.microsoft.com 博客 Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog) | | [培训] | [https://detective.kusto.io/ 游戏 Azure Data Explorer Kusto KQL](https://detective.kusto.io/)
[Microsoft Sentinel 培训](https://learn.microsoft.com/en-us/azure/sentinel/skill-up-resources)
[Microsoft Sentinel Ninja 培训](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310)
[OTRF/Microsoft-Sentinel2Go](https://github.com/OTRF/Microsoft-Sentinel2Go)
[tomwechsler/Microsoft_Cloud_Security](https://github.com/tomwechsler/Microsoft_Cloud_Security)
[kkneomis/kc7](https://github.com/kkneomis/kc7)| | [控制] | [sreedharande/Microsoft-Sentinel-As-A-Code](https://github.com/sreedharande/Microsoft-Sentinel-As-A-Code)
[www.infernux.no 从您的分析规则创建模板以启动仓库](https://www.infernux.no/MicrosoftSentinel-TemplateAnalyticRules/)
[sreedharande/MS-Sentinel-Bulk-Delete-Threat-Indicators](https://github.com/sreedharande/MS-Sentinel-Bulk-Delete-Threat-Indicators)
[medium.com/@TimGroothuis 改进自动化的 Sentinel 检测验证](https://medium.com/@TimGroothuis/improving-automated-sentinel-detection-validation-02f91a9f4a21)| 如果您觉得慷慨,如果您能请我喝杯咖啡,我将不胜感激 :) [](https://www.buymeacoffee.com/ep3p)
Sentinel KQL
在本仓库中,您可以找到与 Microsoft Sentinel(一款 SIEM 工具)数据源相关的 KQL(Kusto Query Language)查询和 Watchlist 方案。
您可以查看其他类似资源:
| GitHub |
| ---- |
| [reprise99/awesome-kql-sentinel](https://github.com/reprise99/awesome-kql-sentinel) (从这里开始)|
| [reprise99/Sentinel-Queries](https://github.com/reprise99/Sentinel-Queries) |
| [rod-trent/SentinelKQL](https://github.com/rod-trent/SentinelKQL) |
| [FalconForceTeam/FalconFriday](https://github.com/FalconForceTeam/FalconFriday) |
| [Cyb3r-Monk/Threat-Hunting-and-Detection](https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection) |
| [Bert-JanP/Hunting-Queries-Detection-Rules](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules) |
| [alexverboon/Azure-Threat-Research-Matrix-KQL](https://github.com/alexverboon/Azure-Threat-Research-Matrix-KQL) |
| [eshlomo1/Microsoft-Sentinel-4-SecOps](https://github.com/eshlomo1/Microsoft-Sentinel-4-SecOps) |
| [Kaidja/Azure-Sentinel](https://github.com/Kaidja/Azure-Sentinel) |
| [samilamppu/Sentinel-queries](https://github.com/samilamppu/Sentinel-queries) |
| [ashwin-patil/blue-teaming-with-kql](https://github.com/ashwin-patil/blue-teaming-with-kql) |
| [le0li9ht/Microsoft-Sentinel-Queries](https://github.com/le0li9ht/Microsoft-Sentinel-Queries) |
| [DanielChronlund/DCSecurityOperations](https://github.com/DanielChronlund/DCSecurityOperations) |
| [ugurkocde/KQL_Intune](https://github.com/ugurkocde/KQL_Intune)|
| ... |
## 其他链接:
| 标签 | 链接 |
| ---- | ---- |
| [KQL] | [Kusto Query Language (KQL) 快捷键](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer-shortcuts) [Kusto Query Language (KQL) 正则表达式库](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/re2-library)
[KQL 查询聚合器](https://www.kqlsearch.com/)| | [数据源] | [sreedharande/IngestOffice365AuditLogs](https://github.com/sreedharande/IngestOffice365AuditLogs)
[techcommunity.microsoft.com Sentinel 中的外部数据源](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-external-data-sources-to-enrich-network-logs-using-azure/ba-p/1450345)
[威胁指示器 MISP](https://github.com/Cyberlorians/Articles/blob/main/MISPTISetup.md) | | [规则] | [Microsoft Sentinel 分析规则浏览器](https://analyticsrules.exchange/)
[garybushey.com 分析规则描述中的 Markdown](https://garybushey.com/2022/08/07/use-an-analytic-rules-description-for-remediation-steps/)
[medium.com/@tokesisr 缓解高摄入时间](https://medium.com/@tokesisr/ingestion-time-will-tell-df7845170e53) | | [Playbook] | [Azure Logic Apps 函数参考](https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference)
[事件响应 Playbook](https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks)
[adr.iaan.be 从 Logic App 查询 LogAnalytics](https://adr.iaan.be/blog/querying-log-analytics-from-logic-apps/)
[adr.iaan.be 转发目录活动日志用户访问管理员](https://adr.iaan.be/blog/adding-directory-activity-logs-to-microsoft-sentinel/)
[Accelerynt-Security/AS-IP-Blocklist Logic App IP 地址警报到条件访问](https://github.com/Accelerynt-Security/AS-IP-Blocklist)
[Accelerynt-Security/AS-Teams-Integration Logic App 到 Teams 频道](https://github.com/Accelerynt-Security/AS-Teams-Integration)
[Accelerynt-Security/AS-Domain-Watchlist Logic App 警报实体到 Watchlist](https://github.com/Accelerynt-Security/AS-Domain-Watchlist)
[briandelmsft/SentinelAutomationModules 分类事件](https://github.com/briandelmsft/SentinelAutomationModules)
[PeterKlapwijk/Microsoft-Logic-Apps](https://github.com/PeterKlapwijk/Microsoft-Logic-Apps/tree/main/Revoke%20user%20access%20in%20case%20of%20an%20emergency)| | [Notebook] | [microsoft/msticpy](https://github.com/microsoft/msticpy)
[garybushey.com Sentinel 中的机器学习](https://garybushey.com/2022/10/09/bring-your-own-machine-learning-in-microsoft-sentinel/) | | [UEBA] | [https://github.com/oshezaf/Sentinel-Custom-Analytics](https://github.com/oshezaf/Sentinel-Custom-Analytics)
[cloudbrothers.info Microsoft Sentinel 中的 UEBA](https://cloudbrothers.info/en/microsoft-sentinel-ueba/)| | [Entra ID] | [Azure AD 审核活动参考](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities)
[Azure AD 安全操作指南](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction)
[Microsoft SignInLogs 错误代码 (ResultType)](https://login.microsoftonline.com/error)
[acalarch/azure-signinlog-results](https://github.com/acalarch/azure-signinlog-results/blob/main/signinlog-results.txt)
[merill.net Microsoft Graph 权限浏览器](https://graphpermissions.merill.net/index.html) (如果在 URI 路径中写入旧权限,可能会显示旧权限)
[msandbu/azuread Azure AD 生态系统图](https://github.com/msandbu/azuread/blob/main/AzureAD%20Big%20picture.jpg) | | [Defender for Cloud] | [Defender for Cloud 警报](https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference)
[Defender for Cloud 建议](https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference)
[Defender for Cloud 实验室](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Labs)| | [Defender for Endpoint] | [Defender for Endpoint 排除项](https://cloudbrothers.info/en/guide-to-defender-exclusions/)
[Defender for Endpoint 性能分析器](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus)
[推文 @SwiftOnSecurity Defender for Endpoint 性能分析器](https://twitter.com/SwiftOnSecurity/status/1575625955766194176)| | [Defender for Identity] | [Defender for Identity 警报](https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview)
[jeffreyappel.nl Defender for Identity 配置](https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/)| | [博客] | [garybushey.com 博客 Gary Bushey](https://garybushey.com/)
[azurecloudai.blog 博客 Microsoft](https://azurecloudai.blog/)
[techcommunity.microsoft.com 博客 Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/bg-p/MicrosoftSentinelBlog) | | [培训] | [https://detective.kusto.io/ 游戏 Azure Data Explorer Kusto KQL](https://detective.kusto.io/)
[Microsoft Sentinel 培训](https://learn.microsoft.com/en-us/azure/sentinel/skill-up-resources)
[Microsoft Sentinel Ninja 培训](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310)
[OTRF/Microsoft-Sentinel2Go](https://github.com/OTRF/Microsoft-Sentinel2Go)
[tomwechsler/Microsoft_Cloud_Security](https://github.com/tomwechsler/Microsoft_Cloud_Security)
[kkneomis/kc7](https://github.com/kkneomis/kc7)| | [控制] | [sreedharande/Microsoft-Sentinel-As-A-Code](https://github.com/sreedharande/Microsoft-Sentinel-As-A-Code)
[www.infernux.no 从您的分析规则创建模板以启动仓库](https://www.infernux.no/MicrosoftSentinel-TemplateAnalyticRules/)
[sreedharande/MS-Sentinel-Bulk-Delete-Threat-Indicators](https://github.com/sreedharande/MS-Sentinel-Bulk-Delete-Threat-Indicators)
[medium.com/@TimGroothuis 改进自动化的 Sentinel 检测验证](https://medium.com/@TimGroothuis/improving-automated-sentinel-detection-validation-02f91a9f4a21)| 如果您觉得慷慨,如果您能请我喝杯咖啡,我将不胜感激 :) [](https://www.buymeacoffee.com/ep3p)
标签:ADX, AMSI绕过, Azure Sentinel, Azure 数据资源管理器, KQL, Kusto Query Language, Microsoft Sentinel, SecOps, Threat Hunting, Watchlist, 云安全架构, 威胁检测, 安全信息与事件管理, 安全运营, 扫描框架, 搜索引擎爬取, 数据查询, 检测规则, 网络安全, 网络资产发现, 隐私保护