├── .github ├── scripts │ ├── M365IpRanges.ps1 │ └── ParseFilterDriver.ps1 └── workflows │ ├── ExternalData-GoogleOneVPNIPRanges.yml │ ├── ExternalData-M365IpRanges.yml │ ├── ExternalData-MicrosoftFSFilter.yml │ └── ExternalData-iCloudPrivateRelayIPRanges.yml ├── AnalyticsRules ├── AWSGuardDutyAlert.yaml ├── AzureHoundActivityDetected.yaml ├── AzureHoundReconnaissanceDetected.yaml ├── AzureVmRunCommandOrCustomScriptExecutionDetected.yaml ├── DangerousAPIPermissionConsented.yaml ├── EnrollmentAttemptWithADCSESC1HoneypotTemplate.yaml ├── GraphRunnerReconnaissanceDetected.yaml ├── HighPrivilegedRoleAssigned.yaml ├── NewLighthouseServiceProviderWasAdded.yaml ├── OwnerAddedToHighPrivilegedApplication.yaml ├── PasswordResetOnHighPrivilegedUser.yaml ├── PotentialMaliciousSign-inFromAzureADConnectAccount.yaml ├── PotentialMaliciousSign-inFromAzureADConnectAccountUEBA.yaml ├── PotentialMalicousDomainRegistration.yaml ├── PurpleKnightReconnaissanceDetected.yaml ├── SecretAddedToHighPrivilegedApplication.yaml ├── SingleFactorAuthenticationSignInUsingPasswordDetected.yaml ├── TokenReplayOfWorkloadIdentityFromOutsideOfAzureNetworkRange.yaml ├── UnusualSensitiveActionPerformedByAzureADConnectAccount.yaml └── UnusualSensitiveActionPerformedByAzureADConnectAccountUEBA.yaml ├── DataCollection ├── JSON │ ├── customTable.bicep │ ├── dataCollectionResources.bicep │ ├── main.bicep │ └── sample.params.jsonc ├── README.md └── Text │ ├── customTable.bicep │ ├── dataCollectionResources.bicep │ ├── main.bicep │ └── sample.params.jsonc ├── Defender XDR ├── DefenderForIdentityInventory.md ├── DetectAzureHoundActivity.md ├── DetectGraphRunnerActivity.md ├── DetectPurpleKnightActivity.md ├── DetectUnsualPRTTokenAcquisitionPattern.md ├── SignInWithDeviceCodeFlowFollowedByDeviceRegistration.md ├── SuspiciousTeamsMessagesBasedOnUnicodeInDisplayName.md └── WhatsAppZIPDownloadFollowedByPowerShellExecution.md ├── ExternalData ├── FSFilter.csv ├── GoogleOneVPNIPRanges.csv ├── Microsoft365IPAddressRanges.csv ├── README.md └── iCloudPrivateRelayIPRanges.csv ├── HuntingQueries ├── AzureVMRunCommandorCustomScriptExecution.yaml ├── ChangesToAzureLighthouseDelegation.yaml ├── GrantHighPrivilegeAzureADRoleToIdentity.yaml └── GrantHighPrivilegeMicrosoftGraphPermissions.yaml ├── LogicApps ├── AutoCloseAppleiCloudPrivateRelayIncidents.arm.json ├── README.md ├── SyncDfCAlertsWithSentinelIncidents-SMI.arm.json ├── SyncDfCAlertsWithSentinelIncidents-UMI.arm.json └── Template.arm.json ├── README.md └── images └── AzureDominancePathsColor.png /.github/scripts/M365IpRanges.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/.github/scripts/M365IpRanges.ps1 -------------------------------------------------------------------------------- /.github/scripts/ParseFilterDriver.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/.github/scripts/ParseFilterDriver.ps1 -------------------------------------------------------------------------------- /.github/workflows/ExternalData-GoogleOneVPNIPRanges.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/.github/workflows/ExternalData-GoogleOneVPNIPRanges.yml -------------------------------------------------------------------------------- /.github/workflows/ExternalData-M365IpRanges.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/.github/workflows/ExternalData-M365IpRanges.yml -------------------------------------------------------------------------------- /.github/workflows/ExternalData-MicrosoftFSFilter.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/.github/workflows/ExternalData-MicrosoftFSFilter.yml -------------------------------------------------------------------------------- /.github/workflows/ExternalData-iCloudPrivateRelayIPRanges.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/.github/workflows/ExternalData-iCloudPrivateRelayIPRanges.yml -------------------------------------------------------------------------------- /AnalyticsRules/AWSGuardDutyAlert.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/AWSGuardDutyAlert.yaml -------------------------------------------------------------------------------- /AnalyticsRules/AzureHoundActivityDetected.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/AzureHoundActivityDetected.yaml -------------------------------------------------------------------------------- /AnalyticsRules/AzureHoundReconnaissanceDetected.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/AzureHoundReconnaissanceDetected.yaml -------------------------------------------------------------------------------- /AnalyticsRules/AzureVmRunCommandOrCustomScriptExecutionDetected.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/AzureVmRunCommandOrCustomScriptExecutionDetected.yaml -------------------------------------------------------------------------------- /AnalyticsRules/DangerousAPIPermissionConsented.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/DangerousAPIPermissionConsented.yaml -------------------------------------------------------------------------------- /AnalyticsRules/EnrollmentAttemptWithADCSESC1HoneypotTemplate.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/EnrollmentAttemptWithADCSESC1HoneypotTemplate.yaml -------------------------------------------------------------------------------- /AnalyticsRules/GraphRunnerReconnaissanceDetected.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/GraphRunnerReconnaissanceDetected.yaml -------------------------------------------------------------------------------- /AnalyticsRules/HighPrivilegedRoleAssigned.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/HighPrivilegedRoleAssigned.yaml -------------------------------------------------------------------------------- /AnalyticsRules/NewLighthouseServiceProviderWasAdded.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/NewLighthouseServiceProviderWasAdded.yaml -------------------------------------------------------------------------------- /AnalyticsRules/OwnerAddedToHighPrivilegedApplication.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/OwnerAddedToHighPrivilegedApplication.yaml -------------------------------------------------------------------------------- /AnalyticsRules/PasswordResetOnHighPrivilegedUser.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/PasswordResetOnHighPrivilegedUser.yaml -------------------------------------------------------------------------------- /AnalyticsRules/PotentialMaliciousSign-inFromAzureADConnectAccount.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/PotentialMaliciousSign-inFromAzureADConnectAccount.yaml -------------------------------------------------------------------------------- /AnalyticsRules/PotentialMaliciousSign-inFromAzureADConnectAccountUEBA.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/PotentialMaliciousSign-inFromAzureADConnectAccountUEBA.yaml -------------------------------------------------------------------------------- /AnalyticsRules/PotentialMalicousDomainRegistration.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/PotentialMalicousDomainRegistration.yaml -------------------------------------------------------------------------------- /AnalyticsRules/PurpleKnightReconnaissanceDetected.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/PurpleKnightReconnaissanceDetected.yaml -------------------------------------------------------------------------------- /AnalyticsRules/SecretAddedToHighPrivilegedApplication.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/SecretAddedToHighPrivilegedApplication.yaml -------------------------------------------------------------------------------- /AnalyticsRules/SingleFactorAuthenticationSignInUsingPasswordDetected.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/SingleFactorAuthenticationSignInUsingPasswordDetected.yaml -------------------------------------------------------------------------------- /AnalyticsRules/TokenReplayOfWorkloadIdentityFromOutsideOfAzureNetworkRange.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/TokenReplayOfWorkloadIdentityFromOutsideOfAzureNetworkRange.yaml -------------------------------------------------------------------------------- /AnalyticsRules/UnusualSensitiveActionPerformedByAzureADConnectAccount.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/UnusualSensitiveActionPerformedByAzureADConnectAccount.yaml -------------------------------------------------------------------------------- /AnalyticsRules/UnusualSensitiveActionPerformedByAzureADConnectAccountUEBA.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/AnalyticsRules/UnusualSensitiveActionPerformedByAzureADConnectAccountUEBA.yaml -------------------------------------------------------------------------------- /DataCollection/JSON/customTable.bicep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/JSON/customTable.bicep -------------------------------------------------------------------------------- /DataCollection/JSON/dataCollectionResources.bicep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/JSON/dataCollectionResources.bicep -------------------------------------------------------------------------------- /DataCollection/JSON/main.bicep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/JSON/main.bicep -------------------------------------------------------------------------------- /DataCollection/JSON/sample.params.jsonc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/JSON/sample.params.jsonc -------------------------------------------------------------------------------- /DataCollection/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/README.md -------------------------------------------------------------------------------- /DataCollection/Text/customTable.bicep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/Text/customTable.bicep -------------------------------------------------------------------------------- /DataCollection/Text/dataCollectionResources.bicep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/Text/dataCollectionResources.bicep -------------------------------------------------------------------------------- /DataCollection/Text/main.bicep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/Text/main.bicep -------------------------------------------------------------------------------- /DataCollection/Text/sample.params.jsonc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/DataCollection/Text/sample.params.jsonc -------------------------------------------------------------------------------- /Defender XDR/DefenderForIdentityInventory.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/DefenderForIdentityInventory.md -------------------------------------------------------------------------------- /Defender XDR/DetectAzureHoundActivity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/DetectAzureHoundActivity.md -------------------------------------------------------------------------------- /Defender XDR/DetectGraphRunnerActivity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/DetectGraphRunnerActivity.md -------------------------------------------------------------------------------- /Defender XDR/DetectPurpleKnightActivity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/DetectPurpleKnightActivity.md -------------------------------------------------------------------------------- /Defender XDR/DetectUnsualPRTTokenAcquisitionPattern.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/DetectUnsualPRTTokenAcquisitionPattern.md -------------------------------------------------------------------------------- /Defender XDR/SignInWithDeviceCodeFlowFollowedByDeviceRegistration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/SignInWithDeviceCodeFlowFollowedByDeviceRegistration.md -------------------------------------------------------------------------------- /Defender XDR/SuspiciousTeamsMessagesBasedOnUnicodeInDisplayName.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/SuspiciousTeamsMessagesBasedOnUnicodeInDisplayName.md -------------------------------------------------------------------------------- /Defender XDR/WhatsAppZIPDownloadFollowedByPowerShellExecution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/Defender XDR/WhatsAppZIPDownloadFollowedByPowerShellExecution.md -------------------------------------------------------------------------------- /ExternalData/FSFilter.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/ExternalData/FSFilter.csv -------------------------------------------------------------------------------- /ExternalData/GoogleOneVPNIPRanges.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/ExternalData/GoogleOneVPNIPRanges.csv -------------------------------------------------------------------------------- /ExternalData/Microsoft365IPAddressRanges.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/ExternalData/Microsoft365IPAddressRanges.csv -------------------------------------------------------------------------------- /ExternalData/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/ExternalData/README.md -------------------------------------------------------------------------------- /ExternalData/iCloudPrivateRelayIPRanges.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/ExternalData/iCloudPrivateRelayIPRanges.csv -------------------------------------------------------------------------------- /HuntingQueries/AzureVMRunCommandorCustomScriptExecution.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/HuntingQueries/AzureVMRunCommandorCustomScriptExecution.yaml -------------------------------------------------------------------------------- /HuntingQueries/ChangesToAzureLighthouseDelegation.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/HuntingQueries/ChangesToAzureLighthouseDelegation.yaml -------------------------------------------------------------------------------- /HuntingQueries/GrantHighPrivilegeAzureADRoleToIdentity.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/HuntingQueries/GrantHighPrivilegeAzureADRoleToIdentity.yaml -------------------------------------------------------------------------------- /HuntingQueries/GrantHighPrivilegeMicrosoftGraphPermissions.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/HuntingQueries/GrantHighPrivilegeMicrosoftGraphPermissions.yaml -------------------------------------------------------------------------------- /LogicApps/AutoCloseAppleiCloudPrivateRelayIncidents.arm.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/LogicApps/AutoCloseAppleiCloudPrivateRelayIncidents.arm.json -------------------------------------------------------------------------------- /LogicApps/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/LogicApps/README.md -------------------------------------------------------------------------------- /LogicApps/SyncDfCAlertsWithSentinelIncidents-SMI.arm.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/LogicApps/SyncDfCAlertsWithSentinelIncidents-SMI.arm.json -------------------------------------------------------------------------------- /LogicApps/SyncDfCAlertsWithSentinelIncidents-UMI.arm.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/LogicApps/SyncDfCAlertsWithSentinelIncidents-UMI.arm.json -------------------------------------------------------------------------------- /LogicApps/Template.arm.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/LogicApps/Template.arm.json -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/README.md -------------------------------------------------------------------------------- /images/AzureDominancePathsColor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f-bader/AzSentinelQueries/HEAD/images/AzureDominancePathsColor.png --------------------------------------------------------------------------------