├── AKS ├── DefenseEvasion-AKSEventsDeleted.kql ├── DefenseEvasion-Pods Created in KubeNamespaces.kql ├── DeletePods.kql ├── Execution-ExecIntoContainer.kql ├── InitialAccess-AnonymousRequestAllowed.kql ├── InitialAccess-KubeconfigfileAccess.kql ├── Persistence-CronjobCreated.kql ├── PrivilegeEscalation-ClusterAdminRoleBinding.kql ├── PrivilegeEscalation-PrivilegedContainerCreated.kql ├── PrivilegeEscalation-PrivilegedContainerViaRunAsUser.kql └── Readme.md ├── AgentHeartBeatIgnoreDeadMachines.kql ├── Auditing ├── AuditingLicense.md └── Locks.md ├── Az ├── Export Analytic Rules ├── List All Query Packs ├── Microsoft Sentinel Creation.md ├── Workbooks.md └── workbookexport.sh ├── Azure SQL ├── AlteredUserRoleInSQL.kql ├── DatabaseAuthenticationFailures.kql ├── DatabaseDeletedSuccessfully.kql ├── FailedSQLLogins.kql ├── MultipleFailedLoginsFromSingleIP.kql ├── MultipleFailedLoginsInShortSpan.kql ├── NewLoginCreatedSuccessfully.kql ├── TableDeletedSuccessfully.kql ├── UserAddedInSecurityAdminRole.kql ├── UserAddedInSysadminRole.kql ├── UserAddedTo-loginmanager|dbmanager-roles.kql ├── UserRemovedFromDatabase.kql ├── UserRemovedFromSecurityAdminRole.kql └── UserRemovedFromServerRole.kql ├── AzureThreatMatrix ├── Defense Evasion.md └── Images │ ├── DetectUnifiedAuditLogDisabled.png │ └── UnifiedAuditLogDisabled.png ├── CountOfEvents.kql ├── CustomConnectors └── Edgio │ ├── DCECreationTemplate.json │ ├── DCRCreationTemplate.json │ └── Edgioupdate.py ├── DailyCapReached.kql ├── DataIngestionFirewallSources.kql ├── DefenderEndpointLinuxDeviceHealth ├── Detect-Follina-Exploitation.kql ├── DetectLogIngestionStoppage.kql ├── EntraID Signins └── TorTraffic.md ├── EntraID ├── AppPasswords.md ├── Directory Synchronization Accounts.md ├── Images │ └── AppPasswords.png ├── PasswordReset.md └── Update PIM Settings.md ├── LICENSE ├── MigrationQueries ├── AnalyticalRulesCreated.kql ├── QuerypacksCreated.kql ├── WatchlistCreated.kql └── WorkbookCreated.kql ├── Parsers ├── Arista │ └── WirelessManagerParser.md ├── Cisco ISE │ └── Parser.md ├── Fortinet │ ├── FortinetGrokParser-Fortinet │ ├── FortinetUTMIPSLogs │ └── FortinetUTMVirusLogs ├── Huawei │ └── SwitchParser.md ├── Nutanix │ ├── API_Audit.md │ └── AuditLogs.md └── PaloAlto │ └── PaloAltoParser-Grok ├── README.md ├── Storage Accounts ├── Disable cloud workload protection.md ├── Disable or Delete Audit Logs.md ├── Images │ ├── CWP.png │ ├── CWP1.png │ ├── CWP2.png │ ├── LogBehaviour.png │ ├── LogBehaviour1.png │ ├── Sample_Logs.png │ └── more.png ├── PersistenceSftpAccount.md ├── README.md └── SftpAccess.md ├── SuddenSpikeInDataIngestion.kql ├── Telnetcheck.ps1 ├── ThreatHunting └── TiktokVideos-Infostealer-Delivery.md ├── Threats ├── Cryptominer │ ├── CryptominerTargetingBatchAccounts.md │ └── Images │ │ ├── Binary.png │ │ ├── Binary1.png │ │ ├── CodeRepo.png │ │ ├── Image.png │ │ ├── Initiate.png │ │ └── soome.txt ├── Saas-Ransomware-0mega-hunting.kql └── WinRar-CVE-2023-38831 │ ├── 2023-10-12_13-34.png │ ├── 2023-10-12_13-36_1.png │ └── WinRar-CVE-2023-38831.kql ├── Windows ├── Command and Control │ └── T1105-Ingress Tool Transfer.md ├── Defense Evasion │ ├── Impair Defenses │ │ └── Disable or Modify Tools.md │ ├── Masquerading │ │ └── Double File Extension.md │ ├── Subvert Trust Control │ │ └── T1553-Install Root Certificate.md │ └── T1140-Debofuscaste_Decode Files or Information.md ├── DetectAtexec.kql ├── ImpacketPsexecDetect.kql ├── Indicator Removal │ └── SysmonEventsCleared.kql ├── MultiplePasswordReset.kql ├── NTLMV1UsedInEnvironment ├── OS Credential Dumping │ ├── HuntForSqldumper.kql │ ├── HuntingForShtinkeringLsass.kql │ └── T1003.001-WDigestAuthDowngrade.kql ├── Persistence │ ├── Bitsadmin.kql │ └── CompatTelRunnerHunting.kql └── T1572-ProtocolTunneling │ ├── LogCollectionGuide-For-ngrok.png │ ├── RDPTunnelViaNgrok.kql │ └── Readme.md └── Zerodays └── MiningTeamsToken.kql /AKS/DefenseEvasion-AKSEventsDeleted.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/DefenseEvasion-AKSEventsDeleted.kql -------------------------------------------------------------------------------- /AKS/DefenseEvasion-Pods Created in KubeNamespaces.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/DefenseEvasion-Pods Created in KubeNamespaces.kql -------------------------------------------------------------------------------- /AKS/DeletePods.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/DeletePods.kql -------------------------------------------------------------------------------- /AKS/Execution-ExecIntoContainer.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/Execution-ExecIntoContainer.kql -------------------------------------------------------------------------------- /AKS/InitialAccess-AnonymousRequestAllowed.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/InitialAccess-AnonymousRequestAllowed.kql -------------------------------------------------------------------------------- /AKS/InitialAccess-KubeconfigfileAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/InitialAccess-KubeconfigfileAccess.kql -------------------------------------------------------------------------------- /AKS/Persistence-CronjobCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/Persistence-CronjobCreated.kql -------------------------------------------------------------------------------- /AKS/PrivilegeEscalation-ClusterAdminRoleBinding.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/PrivilegeEscalation-ClusterAdminRoleBinding.kql -------------------------------------------------------------------------------- /AKS/PrivilegeEscalation-PrivilegedContainerCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/PrivilegeEscalation-PrivilegedContainerCreated.kql -------------------------------------------------------------------------------- /AKS/PrivilegeEscalation-PrivilegedContainerViaRunAsUser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/PrivilegeEscalation-PrivilegedContainerViaRunAsUser.kql -------------------------------------------------------------------------------- /AKS/Readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AKS/Readme.md -------------------------------------------------------------------------------- /AgentHeartBeatIgnoreDeadMachines.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AgentHeartBeatIgnoreDeadMachines.kql -------------------------------------------------------------------------------- /Auditing/AuditingLicense.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Auditing/AuditingLicense.md -------------------------------------------------------------------------------- /Auditing/Locks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Auditing/Locks.md -------------------------------------------------------------------------------- /Az/Export Analytic Rules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Az/Export Analytic Rules -------------------------------------------------------------------------------- /Az/List All Query Packs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Az/List All Query Packs -------------------------------------------------------------------------------- /Az/Microsoft Sentinel Creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Az/Microsoft Sentinel Creation.md -------------------------------------------------------------------------------- /Az/Workbooks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Az/Workbooks.md -------------------------------------------------------------------------------- /Az/workbookexport.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Az/workbookexport.sh -------------------------------------------------------------------------------- /Azure SQL/AlteredUserRoleInSQL.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/AlteredUserRoleInSQL.kql -------------------------------------------------------------------------------- /Azure SQL/DatabaseAuthenticationFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/DatabaseAuthenticationFailures.kql -------------------------------------------------------------------------------- /Azure SQL/DatabaseDeletedSuccessfully.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/DatabaseDeletedSuccessfully.kql -------------------------------------------------------------------------------- /Azure SQL/FailedSQLLogins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/FailedSQLLogins.kql -------------------------------------------------------------------------------- /Azure SQL/MultipleFailedLoginsFromSingleIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/MultipleFailedLoginsFromSingleIP.kql -------------------------------------------------------------------------------- /Azure SQL/MultipleFailedLoginsInShortSpan.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/MultipleFailedLoginsInShortSpan.kql -------------------------------------------------------------------------------- /Azure SQL/NewLoginCreatedSuccessfully.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/NewLoginCreatedSuccessfully.kql -------------------------------------------------------------------------------- /Azure SQL/TableDeletedSuccessfully.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/TableDeletedSuccessfully.kql -------------------------------------------------------------------------------- /Azure SQL/UserAddedInSecurityAdminRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/UserAddedInSecurityAdminRole.kql -------------------------------------------------------------------------------- /Azure SQL/UserAddedInSysadminRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/UserAddedInSysadminRole.kql -------------------------------------------------------------------------------- /Azure SQL/UserAddedTo-loginmanager|dbmanager-roles.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/UserAddedTo-loginmanager|dbmanager-roles.kql -------------------------------------------------------------------------------- /Azure SQL/UserRemovedFromDatabase.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/UserRemovedFromDatabase.kql -------------------------------------------------------------------------------- /Azure SQL/UserRemovedFromSecurityAdminRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/UserRemovedFromSecurityAdminRole.kql -------------------------------------------------------------------------------- /Azure SQL/UserRemovedFromServerRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Azure SQL/UserRemovedFromServerRole.kql -------------------------------------------------------------------------------- /AzureThreatMatrix/Defense Evasion.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AzureThreatMatrix/Defense Evasion.md -------------------------------------------------------------------------------- /AzureThreatMatrix/Images/DetectUnifiedAuditLogDisabled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AzureThreatMatrix/Images/DetectUnifiedAuditLogDisabled.png -------------------------------------------------------------------------------- /AzureThreatMatrix/Images/UnifiedAuditLogDisabled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/AzureThreatMatrix/Images/UnifiedAuditLogDisabled.png -------------------------------------------------------------------------------- /CountOfEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/CountOfEvents.kql -------------------------------------------------------------------------------- /CustomConnectors/Edgio/DCECreationTemplate.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/CustomConnectors/Edgio/DCECreationTemplate.json -------------------------------------------------------------------------------- /CustomConnectors/Edgio/DCRCreationTemplate.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/CustomConnectors/Edgio/DCRCreationTemplate.json -------------------------------------------------------------------------------- /CustomConnectors/Edgio/Edgioupdate.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/CustomConnectors/Edgio/Edgioupdate.py -------------------------------------------------------------------------------- /DailyCapReached.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/DailyCapReached.kql -------------------------------------------------------------------------------- /DataIngestionFirewallSources.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/DataIngestionFirewallSources.kql -------------------------------------------------------------------------------- /DefenderEndpointLinuxDeviceHealth: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/DefenderEndpointLinuxDeviceHealth -------------------------------------------------------------------------------- /Detect-Follina-Exploitation.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Detect-Follina-Exploitation.kql -------------------------------------------------------------------------------- /DetectLogIngestionStoppage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/DetectLogIngestionStoppage.kql -------------------------------------------------------------------------------- /EntraID Signins/TorTraffic.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/EntraID Signins/TorTraffic.md -------------------------------------------------------------------------------- /EntraID/AppPasswords.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/EntraID/AppPasswords.md -------------------------------------------------------------------------------- /EntraID/Directory Synchronization Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/EntraID/Directory Synchronization Accounts.md -------------------------------------------------------------------------------- /EntraID/Images/AppPasswords.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/EntraID/Images/AppPasswords.png -------------------------------------------------------------------------------- /EntraID/PasswordReset.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/EntraID/PasswordReset.md -------------------------------------------------------------------------------- /EntraID/Update PIM Settings.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/EntraID/Update PIM Settings.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/LICENSE -------------------------------------------------------------------------------- /MigrationQueries/AnalyticalRulesCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/MigrationQueries/AnalyticalRulesCreated.kql -------------------------------------------------------------------------------- /MigrationQueries/QuerypacksCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/MigrationQueries/QuerypacksCreated.kql -------------------------------------------------------------------------------- /MigrationQueries/WatchlistCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/MigrationQueries/WatchlistCreated.kql -------------------------------------------------------------------------------- /MigrationQueries/WorkbookCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/MigrationQueries/WorkbookCreated.kql -------------------------------------------------------------------------------- /Parsers/Arista/WirelessManagerParser.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Arista/WirelessManagerParser.md -------------------------------------------------------------------------------- /Parsers/Cisco ISE/Parser.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Cisco ISE/Parser.md -------------------------------------------------------------------------------- /Parsers/Fortinet/FortinetGrokParser-Fortinet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Fortinet/FortinetGrokParser-Fortinet -------------------------------------------------------------------------------- /Parsers/Fortinet/FortinetUTMIPSLogs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Fortinet/FortinetUTMIPSLogs -------------------------------------------------------------------------------- /Parsers/Fortinet/FortinetUTMVirusLogs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Fortinet/FortinetUTMVirusLogs -------------------------------------------------------------------------------- /Parsers/Huawei/SwitchParser.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Huawei/SwitchParser.md -------------------------------------------------------------------------------- /Parsers/Nutanix/API_Audit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Nutanix/API_Audit.md -------------------------------------------------------------------------------- /Parsers/Nutanix/AuditLogs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/Nutanix/AuditLogs.md -------------------------------------------------------------------------------- /Parsers/PaloAlto/PaloAltoParser-Grok: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Parsers/PaloAlto/PaloAltoParser-Grok -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/README.md -------------------------------------------------------------------------------- /Storage Accounts/Disable cloud workload protection.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Disable cloud workload protection.md -------------------------------------------------------------------------------- /Storage Accounts/Disable or Delete Audit Logs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Disable or Delete Audit Logs.md -------------------------------------------------------------------------------- /Storage Accounts/Images/CWP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/CWP.png -------------------------------------------------------------------------------- /Storage Accounts/Images/CWP1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/CWP1.png -------------------------------------------------------------------------------- /Storage Accounts/Images/CWP2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/CWP2.png -------------------------------------------------------------------------------- /Storage Accounts/Images/LogBehaviour.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/LogBehaviour.png -------------------------------------------------------------------------------- /Storage Accounts/Images/LogBehaviour1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/LogBehaviour1.png -------------------------------------------------------------------------------- /Storage Accounts/Images/Sample_Logs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/Sample_Logs.png -------------------------------------------------------------------------------- /Storage Accounts/Images/more.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/Images/more.png -------------------------------------------------------------------------------- /Storage Accounts/PersistenceSftpAccount.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/PersistenceSftpAccount.md -------------------------------------------------------------------------------- /Storage Accounts/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/README.md -------------------------------------------------------------------------------- /Storage Accounts/SftpAccess.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Storage Accounts/SftpAccess.md -------------------------------------------------------------------------------- /SuddenSpikeInDataIngestion.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/SuddenSpikeInDataIngestion.kql -------------------------------------------------------------------------------- /Telnetcheck.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Telnetcheck.ps1 -------------------------------------------------------------------------------- /ThreatHunting/TiktokVideos-Infostealer-Delivery.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/ThreatHunting/TiktokVideos-Infostealer-Delivery.md -------------------------------------------------------------------------------- /Threats/Cryptominer/CryptominerTargetingBatchAccounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Cryptominer/CryptominerTargetingBatchAccounts.md -------------------------------------------------------------------------------- /Threats/Cryptominer/Images/Binary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Cryptominer/Images/Binary.png -------------------------------------------------------------------------------- /Threats/Cryptominer/Images/Binary1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Cryptominer/Images/Binary1.png -------------------------------------------------------------------------------- /Threats/Cryptominer/Images/CodeRepo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Cryptominer/Images/CodeRepo.png -------------------------------------------------------------------------------- /Threats/Cryptominer/Images/Image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Cryptominer/Images/Image.png -------------------------------------------------------------------------------- /Threats/Cryptominer/Images/Initiate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Cryptominer/Images/Initiate.png -------------------------------------------------------------------------------- /Threats/Cryptominer/Images/soome.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Threats/Saas-Ransomware-0mega-hunting.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/Saas-Ransomware-0mega-hunting.kql -------------------------------------------------------------------------------- /Threats/WinRar-CVE-2023-38831/2023-10-12_13-34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/WinRar-CVE-2023-38831/2023-10-12_13-34.png -------------------------------------------------------------------------------- /Threats/WinRar-CVE-2023-38831/2023-10-12_13-36_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/WinRar-CVE-2023-38831/2023-10-12_13-36_1.png -------------------------------------------------------------------------------- /Threats/WinRar-CVE-2023-38831/WinRar-CVE-2023-38831.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Threats/WinRar-CVE-2023-38831/WinRar-CVE-2023-38831.kql -------------------------------------------------------------------------------- /Windows/Command and Control/T1105-Ingress Tool Transfer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Command and Control/T1105-Ingress Tool Transfer.md -------------------------------------------------------------------------------- /Windows/Defense Evasion/Impair Defenses/Disable or Modify Tools.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Defense Evasion/Impair Defenses/Disable or Modify Tools.md -------------------------------------------------------------------------------- /Windows/Defense Evasion/Masquerading/Double File Extension.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Defense Evasion/Masquerading/Double File Extension.md -------------------------------------------------------------------------------- /Windows/Defense Evasion/Subvert Trust Control/T1553-Install Root Certificate.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Defense Evasion/Subvert Trust Control/T1553-Install Root Certificate.md -------------------------------------------------------------------------------- /Windows/Defense Evasion/T1140-Debofuscaste_Decode Files or Information.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Defense Evasion/T1140-Debofuscaste_Decode Files or Information.md -------------------------------------------------------------------------------- /Windows/DetectAtexec.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/DetectAtexec.kql -------------------------------------------------------------------------------- /Windows/ImpacketPsexecDetect.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/ImpacketPsexecDetect.kql -------------------------------------------------------------------------------- /Windows/Indicator Removal/SysmonEventsCleared.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Indicator Removal/SysmonEventsCleared.kql -------------------------------------------------------------------------------- /Windows/MultiplePasswordReset.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/MultiplePasswordReset.kql -------------------------------------------------------------------------------- /Windows/NTLMV1UsedInEnvironment: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/NTLMV1UsedInEnvironment -------------------------------------------------------------------------------- /Windows/OS Credential Dumping/HuntForSqldumper.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/OS Credential Dumping/HuntForSqldumper.kql -------------------------------------------------------------------------------- /Windows/OS Credential Dumping/HuntingForShtinkeringLsass.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/OS Credential Dumping/HuntingForShtinkeringLsass.kql -------------------------------------------------------------------------------- /Windows/OS Credential Dumping/T1003.001-WDigestAuthDowngrade.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/OS Credential Dumping/T1003.001-WDigestAuthDowngrade.kql -------------------------------------------------------------------------------- /Windows/Persistence/Bitsadmin.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Persistence/Bitsadmin.kql -------------------------------------------------------------------------------- /Windows/Persistence/CompatTelRunnerHunting.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/Persistence/CompatTelRunnerHunting.kql -------------------------------------------------------------------------------- /Windows/T1572-ProtocolTunneling/LogCollectionGuide-For-ngrok.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/T1572-ProtocolTunneling/LogCollectionGuide-For-ngrok.png -------------------------------------------------------------------------------- /Windows/T1572-ProtocolTunneling/RDPTunnelViaNgrok.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/T1572-ProtocolTunneling/RDPTunnelViaNgrok.kql -------------------------------------------------------------------------------- /Windows/T1572-ProtocolTunneling/Readme.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Windows/T1572-ProtocolTunneling/Readme.md -------------------------------------------------------------------------------- /Zerodays/MiningTeamsToken.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/le0li9ht/Microsoft-Sentinel-Queries/HEAD/Zerodays/MiningTeamsToken.kql --------------------------------------------------------------------------------