├── .gitattributes ├── API └── Defender │ ├── Clear-LiveResponsePendingSessions.ps1 │ └── Invoke-MDELiveResponseBulk.ps1 ├── ARM ├── LogicApps │ └── WebhookToDCR.json ├── Playbooks │ └── Get-SOCActions.json └── scripts │ ├── EnableAllAnalyticRuleTemplates.ps1 │ └── RetrieveSentinelTables.ps1 ├── DataConnectors └── CiscoMeraki-CodelessConnector │ ├── README.md │ └── mainTemplate.json ├── Graph ├── Groups │ ├── CheckGroupMembershipfromCSV.ps1 │ ├── GetUniqueGroupMembers.ps1 │ ├── SSPR-InitGroup.ps1 │ ├── StagedRollout │ │ └── MigrateMFACapableUsers.ps1 │ └── SyncSecurityGrouptoDistributionGroup.ps1 ├── Service Principals │ ├── Invoke-AppProvisioningSchemaBackup.ps1 │ ├── New-ManagedIdentityGraphExOPermissions.ps1 │ └── Update SAML Certificate Expiration Email Addresses.ps1 └── Users │ └── Get-UserObjectIds.ps1 ├── KQL-Functions ├── func-isGUID.kql └── func-isTrustedIP.kql ├── KQL ├── ConditionalAccessPolicies │ └── CAP-Gap-Detections.md ├── Deception Alert Triage │ ├── All Network Activity around Deception Detection.md │ ├── Interesting Network Activity_aggregated.md │ ├── Suspicious Archiving Activity.md │ └── User_Host Logon Info.md ├── Domain │ └── ProcessUtilizingSAMR.kql ├── Email-Collab │ └── MS-Advisory-Note-Abuse.md ├── Endpoint │ ├── AbnormalRateInterestingCommands.kql │ ├── AntiForensicsActivityOnEndpoint.md │ ├── EndpointMissingAgents.md │ ├── Live Response Session Review.md │ ├── Live Response via API Session Review.md │ ├── Low Prev Svc Installs by SvcName.md │ └── SuspiciousRegistryValueSet.kql ├── OfficeActivity │ └── Possible-AI-Bots-in-Teams-Meeting.md ├── Okta │ ├── Okta-ADAgentAPITokenCreated.kql │ ├── Okta-MultipleUsersFromAnUntrustedIP.kql │ ├── Okta-MultipleUsersSameMFANumber.kql │ ├── Okta-MultipleUsersWithSameSMSforMFA.kql │ └── Okta-PossiblePasswordSprayActivity.kql ├── README.md ├── Reports │ └── UserProvisioningFailures.md ├── Table Info │ └── DeviceEvents_ActionTypes.txt └── UEBA │ └── ShadowCredentialsAddedtoADComputerObject.md ├── LICENSE ├── README.md └── Sentinel └── LogSources └── PaloAltoNetworks └── CEF-Log-Formats.md /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/.gitattributes -------------------------------------------------------------------------------- /API/Defender/Clear-LiveResponsePendingSessions.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/API/Defender/Clear-LiveResponsePendingSessions.ps1 -------------------------------------------------------------------------------- /API/Defender/Invoke-MDELiveResponseBulk.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/API/Defender/Invoke-MDELiveResponseBulk.ps1 -------------------------------------------------------------------------------- /ARM/LogicApps/WebhookToDCR.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/ARM/LogicApps/WebhookToDCR.json -------------------------------------------------------------------------------- /ARM/Playbooks/Get-SOCActions.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/ARM/Playbooks/Get-SOCActions.json -------------------------------------------------------------------------------- /ARM/scripts/EnableAllAnalyticRuleTemplates.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/ARM/scripts/EnableAllAnalyticRuleTemplates.ps1 -------------------------------------------------------------------------------- /ARM/scripts/RetrieveSentinelTables.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/ARM/scripts/RetrieveSentinelTables.ps1 -------------------------------------------------------------------------------- /DataConnectors/CiscoMeraki-CodelessConnector/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/DataConnectors/CiscoMeraki-CodelessConnector/README.md -------------------------------------------------------------------------------- /DataConnectors/CiscoMeraki-CodelessConnector/mainTemplate.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/DataConnectors/CiscoMeraki-CodelessConnector/mainTemplate.json -------------------------------------------------------------------------------- /Graph/Groups/CheckGroupMembershipfromCSV.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Groups/CheckGroupMembershipfromCSV.ps1 -------------------------------------------------------------------------------- /Graph/Groups/GetUniqueGroupMembers.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Groups/GetUniqueGroupMembers.ps1 -------------------------------------------------------------------------------- /Graph/Groups/SSPR-InitGroup.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Groups/SSPR-InitGroup.ps1 -------------------------------------------------------------------------------- /Graph/Groups/StagedRollout/MigrateMFACapableUsers.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Groups/StagedRollout/MigrateMFACapableUsers.ps1 -------------------------------------------------------------------------------- /Graph/Groups/SyncSecurityGrouptoDistributionGroup.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Groups/SyncSecurityGrouptoDistributionGroup.ps1 -------------------------------------------------------------------------------- /Graph/Service Principals/Invoke-AppProvisioningSchemaBackup.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Service Principals/Invoke-AppProvisioningSchemaBackup.ps1 -------------------------------------------------------------------------------- /Graph/Service Principals/New-ManagedIdentityGraphExOPermissions.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Service Principals/New-ManagedIdentityGraphExOPermissions.ps1 -------------------------------------------------------------------------------- /Graph/Service Principals/Update SAML Certificate Expiration Email Addresses.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Service Principals/Update SAML Certificate Expiration Email Addresses.ps1 -------------------------------------------------------------------------------- /Graph/Users/Get-UserObjectIds.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Graph/Users/Get-UserObjectIds.ps1 -------------------------------------------------------------------------------- /KQL-Functions/func-isGUID.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL-Functions/func-isGUID.kql -------------------------------------------------------------------------------- /KQL-Functions/func-isTrustedIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL-Functions/func-isTrustedIP.kql -------------------------------------------------------------------------------- /KQL/ConditionalAccessPolicies/CAP-Gap-Detections.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/ConditionalAccessPolicies/CAP-Gap-Detections.md -------------------------------------------------------------------------------- /KQL/Deception Alert Triage/All Network Activity around Deception Detection.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Deception Alert Triage/All Network Activity around Deception Detection.md -------------------------------------------------------------------------------- /KQL/Deception Alert Triage/Interesting Network Activity_aggregated.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Deception Alert Triage/Interesting Network Activity_aggregated.md -------------------------------------------------------------------------------- /KQL/Deception Alert Triage/Suspicious Archiving Activity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Deception Alert Triage/Suspicious Archiving Activity.md -------------------------------------------------------------------------------- /KQL/Deception Alert Triage/User_Host Logon Info.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Deception Alert Triage/User_Host Logon Info.md -------------------------------------------------------------------------------- /KQL/Domain/ProcessUtilizingSAMR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Domain/ProcessUtilizingSAMR.kql -------------------------------------------------------------------------------- /KQL/Email-Collab/MS-Advisory-Note-Abuse.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Email-Collab/MS-Advisory-Note-Abuse.md -------------------------------------------------------------------------------- /KQL/Endpoint/AbnormalRateInterestingCommands.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/AbnormalRateInterestingCommands.kql -------------------------------------------------------------------------------- /KQL/Endpoint/AntiForensicsActivityOnEndpoint.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/AntiForensicsActivityOnEndpoint.md -------------------------------------------------------------------------------- /KQL/Endpoint/EndpointMissingAgents.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/EndpointMissingAgents.md -------------------------------------------------------------------------------- /KQL/Endpoint/Live Response Session Review.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/Live Response Session Review.md -------------------------------------------------------------------------------- /KQL/Endpoint/Live Response via API Session Review.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/Live Response via API Session Review.md -------------------------------------------------------------------------------- /KQL/Endpoint/Low Prev Svc Installs by SvcName.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/Low Prev Svc Installs by SvcName.md -------------------------------------------------------------------------------- /KQL/Endpoint/SuspiciousRegistryValueSet.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Endpoint/SuspiciousRegistryValueSet.kql -------------------------------------------------------------------------------- /KQL/OfficeActivity/Possible-AI-Bots-in-Teams-Meeting.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/OfficeActivity/Possible-AI-Bots-in-Teams-Meeting.md -------------------------------------------------------------------------------- /KQL/Okta/Okta-ADAgentAPITokenCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Okta/Okta-ADAgentAPITokenCreated.kql -------------------------------------------------------------------------------- /KQL/Okta/Okta-MultipleUsersFromAnUntrustedIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Okta/Okta-MultipleUsersFromAnUntrustedIP.kql -------------------------------------------------------------------------------- /KQL/Okta/Okta-MultipleUsersSameMFANumber.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Okta/Okta-MultipleUsersSameMFANumber.kql -------------------------------------------------------------------------------- /KQL/Okta/Okta-MultipleUsersWithSameSMSforMFA.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Okta/Okta-MultipleUsersWithSameSMSforMFA.kql -------------------------------------------------------------------------------- /KQL/Okta/Okta-PossiblePasswordSprayActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Okta/Okta-PossiblePasswordSprayActivity.kql -------------------------------------------------------------------------------- /KQL/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/README.md -------------------------------------------------------------------------------- /KQL/Reports/UserProvisioningFailures.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Reports/UserProvisioningFailures.md -------------------------------------------------------------------------------- /KQL/Table Info/DeviceEvents_ActionTypes.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/Table Info/DeviceEvents_ActionTypes.txt -------------------------------------------------------------------------------- /KQL/UEBA/ShadowCredentialsAddedtoADComputerObject.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/KQL/UEBA/ShadowCredentialsAddedtoADComputerObject.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/README.md -------------------------------------------------------------------------------- /Sentinel/LogSources/PaloAltoNetworks/CEF-Log-Formats.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AttacktheSOC/Azure-SecOps/HEAD/Sentinel/LogSources/PaloAltoNetworks/CEF-Log-Formats.md --------------------------------------------------------------------------------