├── AWS-PublicIPAddedtoInstance.kql ├── Active Directory ├── AADPasswordProtection-AllEvents.kql ├── SecurityEvent-AccountPreAuthChanges.kql ├── SecurityEvent-AccountSensitivityChanged.kql ├── SecurityEvent-AccountSetPasswordNotRequired.kql ├── SecurityEvent-AnomalousIPCRecon.kql ├── SecurityEvent-DailySummaryofGroupAdditions.kql ├── SecurityEvent-DetectPrivilegedAADAdminPasswordChange.kql ├── SecurityEvent-GPOInheritanceChanged.kql ├── SecurityEvent-LogonToDeviceListChanged.kql ├── SecurityEvent-SummarizePrivilegesAssignedonLogon.kql ├── SecurityEvent-SummarizeRDPActivity.kql ├── SecurityEvent-UACFlagParser.kql ├── SecurityEvent-UnconstrainedDelegationEnabled.kql ├── SecurityEvent-UnconstrainedDelegationtoUser.kql └── SecurityEvent-VisualizeAccountsCreatedDisabledDeleted.kql ├── Anamoly-HigherThanExpectedSysLog.kql ├── Azure AD Abuse Detection └── README.md ├── Azure Active Directory ├── Audit-AccessPackageCreated.kql ├── Audit-AdminActionsfromRiskyUsers.kql ├── Audit-AllowedBlockedDomainListChanges.kql ├── Audit-AppProxySettoPassThrough.kql ├── Audit-BitLockerKeyRetrieved.kql ├── Audit-CustomSecurityAttributeSet.kql ├── Audit-DailySummaryofAdminActivity.kql ├── Audit-DetectAADInternalsUse.kql ├── Audit-DetectActivePIMAssignment.kql ├── Audit-DetectAdvancedAuditingDisabled.kql ├── Audit-DetectConditionalAccessChangesAfterHours.kql ├── Audit-DetectCredentialAddedtoApp.kql ├── Audit-DetectFirstTimeCAPolicyChange.kql ├── Audit-DetectFirstTimeServicePrincipalCreation.kql ├── Audit-DetectNewCrossTenantSetting.kql ├── Audit-DetectNewPrivilegedGroupAdded.kql ├── Audit-DetectPIMActivationsOutsideWorkingHours.kql ├── Audit-DetectSPAddedAfterHours.kql ├── Audit-DetectSSPRAfterHours.kql ├── Audit-DetectSSPRFromUnknownIP.kql ├── Audit-EventsbyRiskyPrivilegedUser.kql ├── Audit-FindUsersFailingNewPasswordSSPR.kql ├── Audit-FindUsersFailingSSPR.kql ├── Audit-FirstTimePIMActivationOutsideWorkingHours.kql ├── Audit-GroupAddedtoPIM.kql ├── Audit-GroupMFARegistrationbyPhoneNumber.kql ├── Audit-GuestAddedtoPIM.kql ├── Audit-ListBulkActivities.kql ├── Audit-MFAChangesforPrivlegedUsers.kql ├── Audit-MultipleUsersSameMFANumber.kql ├── Audit-NamedLocationsChanged.kql ├── Audit-NewDomainAdded.kql ├── Audit-NewOperations.kql ├── Audit-NewPIMRoleActivated.kql ├── Audit-NewPrivilegedActions.kql ├── Audit-NewTenantCreated.kql ├── Audit-PivotTableofPrivilegedUserActions.kql ├── Audit-RedirectURIChanged.kql ├── Audit-SummarizePIMRolesActivated.kql ├── Audit-SummarizeWeeklyPIM.kql ├── Audit-UserAddedandRemovedfromRole.kql ├── Audit-UserAddedtoRoleOutsidePIM.kql ├── Audit-UsersAddedtoDynamicGroups.kql ├── Audit-UsersWhoHaventElevatedPIM.kql ├── Audit-UserswithPrivRolesbutnoActivity.kql ├── Audit-VisualizeSSPRSuccessvsFailure.kql ├── Identity-AADRiskEventCorrelation.kql ├── Identity-AdminUpdatingSecurityInfo.kql ├── Identity-AlertGuestDeniedAccesstoMultipleApps.kql ├── Identity-AlertsFromPrivilegedUsers.kql ├── Identity-AnomalousConditionalAccessFailures.kql ├── Identity-AppAccessMembersvsGuests.kql ├── Identity-ApplicationAccessReview.kql ├── Identity-AppsWithMoreGuests.kql ├── Identity-AppswithmostSFAPrivUsers.kql ├── Identity-AuthStrengthMFASFAPercentage.kql ├── Identity-AuthenticationStrengthsParser ├── Identity-CAPoliciesNotinUse.kql ├── Identity-CAPolicyStats.kql ├── Identity-CalculateRiskyApps.kql ├── Identity-CalculateRiskyUsers.kql ├── Identity-ConditionalAccessMostFailures.kql ├── Identity-ConditionalAccessPivotTable.kql ├── Identity-ConditionalAccessPoliciesNotinUse.kql ├── Identity-DailySummaryofUsersAddedtoAADGroups.kql ├── Identity-DetectMultipleDistinctRiskEvents.kql ├── Identity-DetectingFirstTimeAccesstoAzureManagement.kql ├── Identity-DeviceCodePhishing.kql ├── Identity-FindAppswithNoSignins.kql ├── Identity-FindCAFailurePercentage.kql ├── Identity-FindGuestsAccessingMostApps.kql ├── Identity-FindInactiveManagedIdentities.kql ├── Identity-FindInactiveServicePrincipals.kql ├── Identity-FindMultipleCASuccesses.kql ├── Identity-FindNewEnterpriseApps.kql ├── Identity-FindUsersMultipleCountriesSameDay.kql ├── Identity-FindUsersOnlyusingTextforMFA.kql ├── Identity-FirstPartyApps.kql ├── Identity-FirstTimeLegacyAuth.kql ├── Identity-FirstTimeRoleAddition.kql ├── Identity-FirstTimeSPBlockedbyCA.kql ├── Identity-GuestAddedtoAADRole.kql ├── Identity-GuestInvitesSentvsRedeemed.kql ├── Identity-GuestTypeParser.kql ├── Identity-GuestsAccessingNewApplications.kql ├── Identity-GuestsInvitedbutnotRedeemed.kql ├── Identity-HighMediumRealtimeRiskforAADRoles.kql ├── Identity-InactiveGuestAccounts.kql ├── Identity-InactivePrivilegedUsers.kql ├── Identity-LegacyAuthPivotTable.kql ├── Identity-MFAChangesfromunknownIP.kql ├── Identity-MFACountPerUser.kql ├── Identity-MFAMethodsPivotTable.kql ├── Identity-MFANewLocationandMethod.kql ├── Identity-MFAPercentageperapp.kql ├── Identity-MFARegistrationfollowedbySSPR.kql ├── Identity-ManagedIdentityAccessingNewResources.kql ├── Identity-ManagedIdentitySummaryofResources.kql ├── Identity-MuiltipleConditionalAccessFailures.kql ├── Identity-MultipleCAFailures.kql ├── Identity-MultipleMFAFailuresPrivUsers.kql ├── Identity-ParseIPInfofromSecurityAlert.kql ├── Identity-ParseUserAgent.kql ├── Identity-PotentialAiTM.kql ├── Identity-PotentialAppRecon.kql ├── Identity-PotentialMFANumberMatchingAbuse.kql ├── Identity-PotentialMFASpam.kql ├── Identity-RiskEventfollowedbyMFAchanges.kql ├── Identity-RiskyMFARequirementfollowedbyMFAregistration.kql ├── Identity-RiskySigninFollowedbyAdminMFAChange.kql ├── Identity-RoleAddedtoServicePrincipal.kql ├── Identity-SSPRfollowedbyRiskySignin.kql ├── Identity-SecurityAlertWithNewAgent.kql ├── Identity-ServicePrincipalCreatedbyManagedIdentity.kql ├── Identity-ServicePrincipalExpiredSecret.kql ├── Identity-ServicePrincipalSigninErrors.kql ├── Identity-ServicePrincipalSigninfromnewIP.kql ├── Identity-ServicePrincipalSigninsbyIP.kql ├── Identity-ServicePrincipalSummaryofResources.kql ├── Identity-ServicePrincipalsMultipleLocations.kql ├── Identity-ServicePrincipalsOnlyExpiredSecret.kql ├── Identity-ServicePrincipalswithSingleIP.kql ├── Identity-SingleFactorConnectionstoAzure.kql ├── Identity-SingleFactorSigninsFromPrivUsers.kql ├── Identity-SummarizeAccountInactivity.kql ├── Identity-SummarizeAppUsageMonthonMonth.kql ├── Identity-SummarizeConditionalAccessPoliciesfailures.kql ├── Identity-SummarizeGuestConditionalAccess.kql ├── Identity-SummarizeGuestDomainbyType.kql ├── Identity-SummarizeGuestInactivity.kql ├── Identity-SummarizeGuestTenantActivity.kql ├── Identity-SummarizeInternetExplorerSignins.kql ├── Identity-SummarizeLegacyAuth.kql ├── Identity-SummarizeLocationSignins.kql ├── Identity-SummarizeLoginInfofromMaliciousIP.kql ├── Identity-SummarizeMFAFailures.kql ├── Identity-SummarizeMFATop20Apps.kql ├── Identity-SummarizeOutboundGuestActivity.kql ├── Identity-SummarizeSigninInfoafterMFAconfig.kql ├── Identity-SummarizeSuspiciousIPAddresses.kql ├── Identity-SummarizeUnknownLocationnoMFA.kql ├── Identity-ThirdPartyMFAFailures.kql ├── Identity-Top20AppswithnoCA.kql ├── Identity-Top20RandomStats.kql ├── Identity-Top20RiskyLocations.kql ├── Identity-UserReportedSuspiciousMFA.kql ├── Identity-UserTryingtoAccessMultipleApps.kql ├── Identity-VisualStdDevofMFAFailures.kql ├── Identity-VisualizeConditionalAccessFailures.kql ├── Identity-VisualizeControlsvsNoControls.kql ├── Identity-VisualizeDistinctInboundGuests.kql ├── Identity-VisualizeExternalAADGuestsvsExternalGuests.kql ├── Identity-VisualizeGuestAppAccess.kql ├── Identity-VisualizeGuestDomains.kql ├── Identity-VisualizeGuestRedemptionswithTrend.kql ├── Identity-VisualizeInboundvsOutboundGuests.kql ├── Identity-VisualizeKnownvsUnknownLocation.kql ├── Identity-VisualizeLegacyAuth.kql ├── Identity-VisualizeLegacyAuthMethods.kql ├── Identity-VisualizeMFAChallengevsPreviouslySatisfied.kql ├── Identity-VisualizeMFAMethods.kql ├── Identity-VisualizeMFAMethodsovertime.kql ├── Identity-VisualizePasswordvsPasswordless.kql ├── Identity-VisualizeRiskEventsoverTime.kql ├── Identity-VisualizeSSPR.kql ├── Identity-VisualizeSigninsbyDeviceTrust.kql ├── Identity-VisualizeTotalvsDistinctsignins.kql ├── Identity-VisualizeWorldMap.kql ├── Identity-YourUsersSigningIntoOtherTenantsAsGuests.kql ├── MSGraph-GuestLogonQuery ├── OAuth-ApplicationPermissionsGrant.kql ├── OAuth-ApporDelegatedAccessGranted.kql ├── OAuth-DelegatedPermissionsGrant.kql ├── OAuth-DetectingFirstTimeCredentialAddition.kql ├── OAuth-FirstTimeAppConsent.kql ├── OAuth-InactiveServicePrincipalswithPrivilege.kql ├── OAuth-PermissionsAddedRemoved.kql ├── OAuth-SummarizeCurrentAppPermissions.kql ├── OAuth-SummarizePermissionGrantedtoApps.kql ├── OAuth-SummarizeServicePrincipalInactivity.kql ├── OAuth-TrackEventsonServicePrincipals.kql ├── PIM-UserAssignedRolebutHasntActivated.kql └── SSPR-PasswordResetInitiatedviaMSGraph.kql ├── Azure Activity ├── Azure-ResourceLockAddedorRemoved.kql ├── Azure-ServicePrincipalAddedtoAzure.kql ├── AzureLogAnalytics-DetectwhenWorkspaceKeysareRead.kql ├── AzureStorage-FirstTimeStorageKeyEnumeration.kql ├── AzureVM-DiskImageURLGenerated.kql └── Sentinel-DetectAccessAddedtoWorkspace.kql ├── Azure Bastion ├── Bastion-AuditUsage.kql └── Bastion-SummarizeAccountAccess.kql ├── Azure Diagnostics ├── AppGateway-MostAttackedHostName.kql ├── AppGateway-VisualizeWAFTraffic.kql ├── CVE-2021-44228-2.kql ├── CVE-2021-44228.kql ├── aad_pim_integration └── code_sample.md ├── Azure Key Vault ├── KeyVault-AccessManipulation.yaml ├── KeyVault-AnomalousKeyVaultAccessbyApp.kql ├── KeyVault-AnomalousKeyVaultAccessbyUser.kql ├── KeyVault-DefaultFirewallRuleSettoAllow.kql ├── KeyVault-IPAddedtoFirewall.kql ├── KeyVault-ObjectIDAddedtoAccessPolicy.kql └── KeyVault-PotentiallySensitiveOperations.kql ├── Azure Resource Graph └── ARG-LogStatusOfWindowsDevices.kql ├── Azure Sentinel Incidents ├── SecurityIncident-DaysSinceLastIncident.kql ├── SecurityIncident-PlaybookActivities.kql ├── SecurityIncident-VisualizeIncidentSeverity.kql ├── SecurityIncident-VisualizeIncidentswithTrend.kql └── SecurityIncident-VisualizeMitreAtt&ck.kql ├── CISA Insights ├── README.md └── dashboard-CISA KEV Insights.json ├── DNS ├── DNS-FindDevicesThatHaveQueriedSuspiciousDomains.kql └── DnsEvents-FindStaleDomains.kql ├── Data Management ├── 365-Visualize365DaysofKql.kql ├── Data-CalculatePercentageperTable.kql ├── Data-CalculateTableSizeChanges.kql ├── Data-DetectAnomalousDataIngestion.kql ├── Data-NewTablesFound.kql └── Data-TableSizePerMDEDevice.kql ├── Defender for Cloud Apps ├── DCA-DetectAADInternalsUse.kql ├── DCA-DetectAdminGrantingOwnAccesstoMailbox.kql ├── DCA-DetectMailboxForward.kql ├── DCA-ExchangeOnlineEventsduringRiskySignin.kql ├── DCA-ExtractPhoneNumber.kql ├── DCA-FindAzureADAdminActions.kql ├── DCA-FindNewEvents.kql ├── DCA-FindUserSubmittedPhishingSpam.kql ├── DCA-FormPhishingStatusChanged.kql ├── DCA-PaidTrialStarted.kql ├── DCA-PivotTableAdminActions.kql ├── DCA-PivotTableAdminOperations.kql ├── DCA-PotentialConsentPhishing.kql ├── DCA-RiskEventFollowedbyEmailForward.kql ├── DCA-RiskEventFollowedbyMailboxRuleChanges.kql ├── DCA-SuspiciousMailboxRuleCreated.kql ├── DCA-TeamsAppInstalled.kql └── DCA-VisualizeEmojiReactions.kql ├── Defender for Endpoint ├── Anamoly-USBFileCopiesfromUserswithAnamolousDownloads.kql ├── Device-ASRAudit.kql ├── Device-ASRLsassAudit.kql ├── Device-ASROfficeChildProcessAudit.kql ├── Device-ASRSummary.kql ├── Device-AccountswithMostLocalAdmin.kql ├── Device-CreateSetofLocalAdminsperDevice.kql ├── Device-DetectAnomalousRDPConnections.kql ├── Device-DetectCertUtilConnectingExternally.kql ├── Device-DetectCredentialBackup.kql ├── Device-DetectEncodedPowershellandDecode.kql ├── Device-DetectFirstTimeTeamviewerUsage.kql ├── Device-DetectInboundPublicRDP.kql ├── Device-DetectInternaltoExternalTeamviewer.kql ├── Device-DetectInvalidCertificates.kql ├── Device-DetectLocalAdminsWhoHaventElevated.kql ├── Device-DetectLocalUserCreated.kql ├── Device-DetectLocaltoPublicRDP.kql ├── Device-DetectLogonsPriortoMDEAlert.kql ├── Device-DetectMacroConnectingtoInternet.kql ├── Device-DetectMacroUsage.kql ├── Device-DetectMultipleFailedRemoteLogons.kql ├── Device-DetectPotentialNetworkRecon.kql ├── Device-DetectPuttyConnectingPublic.kql ├── Device-DetectRDPRecon.kql ├── Device-DetectRegistryTampering.kql ├── Device-DetectSecurityLogCleared.kql ├── Device-DetectURLopenedfromISOfile.kql ├── Device-FileDownloadedfromO365thenCopiedtoUSB.kql ├── Device-FilesCopiedtoUSBCertainGroups.kql ├── Device-FindDeviceWithoutCurrentAVScan.kql ├── Device-FindDevicesMostASR.kql ├── Device-FindDevicesNoLongerSendingEvents.kql ├── Device-FindDevicesToOnboard.kql ├── Device-FindDeviceswithmostSmartScreenEvents.kql ├── Device-FindDeviceswithnoASR.kql ├── Device-FindNetworkRecon.kql ├── Device-FindNewDevices.kql ├── Device-FindNewEvents.kql ├── Device-FindUsersWhoClickedonPhishing.kql ├── Device-FirstTimeWhoAmI.kql ├── Device-InterestingPortsOpened.kql ├── Device-KnownRansomwareVuln.kql ├── Device-LocalUserswithAdmin.kql ├── Device-NewASREvents.kql ├── Device-NewHashAccessingLSASS.kql ├── Device-ParseURL.kql ├── Device-PotentialDNSTunnelling.kql ├── Device-PowerShellExecutionModeChanged.kql ├── Device-PowershellConnectingtoInternet.kql ├── Device-ProcessModifiedPrimaryToken.kql ├── Device-PublicPort22Allowed.kql ├── Device-SSHTrafficOnNonStandardPort.kql ├── Device-SummarizeLDAPandLDAPStraffic.kql ├── Device-SummarizeLocalGroupAdditions.kql ├── Device-SummarizeLocalLogonActivity.kql ├── Device-SummarizeMacroUsage.kql ├── Device-SummarizeRDPConnections.kql ├── Device-SummarizeSSHPortOpenedInbound.kql ├── Device-SummarizeSmartScreenPhishingDomains.kql ├── Device-SummarizeSmartScreenUntrustedFiles.kql ├── Device-SummaryofDeviceLogons.kql ├── Device-Top20DepartmentsCopyingDatatoUSBbyCount.kql ├── Device-Top20DepartmentsCopyingDatatoUSBbySize.kql ├── Device-Top20RandomActions.kql ├── Device-UserAddedasLocalAdmin.kql ├── Device-VisualizeASREventswithtrend.kql ├── Device-VisualizeMaliciousSmartScreenURLs.kql ├── Device-VisualizeMostCommonISOFiles.kql ├── Device-VisualizeOSBuildspermonth.kql ├── Device-VisualizePort22Proccesses.kql ├── Device-VisualizeRDPClients.kql ├── Device-VisualizeRemotePowerShellURLs.kql ├── Device-VisualizeVolumeofDataCopiedtoUSB.kql ├── Device-Windows11DevicesandUsers.kql ├── Device-WindowsVersionPivotTable.kql ├── Device-msdtPotentialExploit.kql ├── Firewall Queries │ ├── Devices-NoHTTP.kql │ ├── Devices-NoRDP.kql │ ├── Devices-NoSMB.kql │ ├── Devices-NoSSH.kql │ └── Devices-SummarizeInboundTraffic.kql ├── Vuln-CVE-2021-40444.kql ├── Vuln-HighestExposedDevices.kql ├── Vuln-InternetExposedDevices.kql ├── Vuln-KnownExploitableVuln.kql └── Vuln-PublicFacingDeviceswithKnownExploitedVuln.kql ├── Defender for Identity ├── IdentityDirectoryEvents-AccountDelegationChanged.kql ├── IdentityDirectoryEvents-EncryptionChange.kql ├── IdentityDirectoryEvents-PasswordSettoNeverExpire.kql ├── IdentityLogonEvents-SummarizeClearTextLDAP.kql └── IdentityLogonEvents-SummarizeNTLM.kql ├── Diagrams ├── ConditionalAccess-LogicApp.png ├── SentinelTableMapping.png ├── deploytoazure.png ├── kql-pipe.png ├── parse.png ├── parse1.png ├── parse2.png ├── parse3.png ├── parse4.png ├── parse5.png ├── querypack1.png ├── querypack2.png ├── querypack3.png ├── querypack4.png ├── querypack5.png ├── render-areachart.png ├── render-barchart.png ├── render-columnchart.png ├── render-piechart.png ├── render-timebarchart.png ├── render-timechart.png ├── render-timecolumn-outlookonedrivesharepoint.png ├── render-timecolumnchart.png ├── render-timecolumnchartnames.png ├── render-timecolumnchartstacked.png ├── render-timecolumnchartunstacked.png ├── split1.png ├── split2.png └── split3.png ├── Duo-LogParserwithIdentityInfo.kql ├── Functions ├── Function-ADGroupChanges.kql ├── Function-AzureKeyVaultAccess.kql ├── Function-CiscoASAParser.kql ├── Function-DeviceLookup.kql ├── Function-FailedActiveDirectoryLogons.kql ├── Function-GroupChanges.kql ├── Function-GuestDomainInfo.kql ├── Function-IdentityInfowithSigninRisk.kql ├── Function-NewDetections.kql ├── Function-PrivilegeChanges.kql ├── Function-RetrieveAllDCs.kql ├── Function-TeamsAccess.kql ├── Function-UserInvestigation.kql ├── Function-UserLogins.kql ├── Function-UserLookup.kql ├── README.md └── ReadmeImages │ ├── function1.png │ ├── function2.png │ ├── function3.png │ ├── function4.png │ └── function5.png ├── Heartbeat ├── Heartbeat-NoHeartbeatinTimeframe.kql └── Heartbeat-VisualizeDistinctComputersperMonth.kql ├── Information Protection ├── IP-LabelDowngradeThenCopytoUSB.kql └── IP-LabelDowngradeThenEmail.kql ├── Intune ├── IntuneDevices-FindDetailsofNonCompliantDevices.kql ├── IntuneDevices-RetrieveDeviceInfoAfterWipe.kql ├── IntuneDevices-VisualizeDeviceComplianceovertime.kql ├── IntuneDevices-VisualizeDeviceJoinTypebyWeek.kql ├── IntuneDevices-VisualizeLastContact.kql └── IntuneDevices-VisualizeMatchingDeviceIds.kql ├── LICENSE ├── Log Analytics ├── LAQuery-FindQueryStats.kql ├── LAQuery-NewUsersQueryingData.kql ├── LAQuery-UsersvsAutomationQueryStats.kql └── LAQuery-VisualizeQueriesRun.kql ├── Office 365 ├── Audit-DailySummaryofO365AdminActivity.kql ├── EmailEvents-FindEmailswithPotentialPhishingURL.kql ├── EmailEvents-FindUsersWhoReadMaliciousEmail.kql ├── EmailEvents-MacroReceivedbyEmail.kql ├── EmailEvents-MostBlockedDomains.kql ├── EmailEvents-PotentialNewSpammer.kql ├── EmailEvents-VisualizeBlockedEmailDeviation.kql ├── EmailEvents-VisualizeBlockedEmailPercentage.kql ├── EmailEvents-VisualizeDeliveryActions.kql ├── EmailEvents-VisualizePostDeliveryActions.kql ├── Office-DownloadsfromGuestafterAddedtoTeams.kql ├── OfficeActivity-AnomalousDownloadsfromGuests.kql ├── OfficeActivity-AnomalousGuestFileShares.kql ├── OfficeActivity-CalculatePercentageofDownloadsUntrustedDevices.kql ├── OfficeActivity-CalculatePercentageofDownloadsforTopGuests.kql ├── OfficeActivity-CalculatePercentageofDownloadsperDomain.kql ├── OfficeActivity-CalculateTimetoDetectMalware.kql ├── OfficeActivity-DetectEmailsReadbyAdmins.kql ├── OfficeActivity-DetectFullMailboxAccess.kql ├── OfficeActivity-DetectNewExchangeAdminRole.kql ├── OfficeActivity-DetectUsermadeOwneronmultipleTeams.kql ├── OfficeActivity-ExchangeScopingPolicyApplied.kql ├── OfficeActivity-FilesSharedtoGuestsfromOnedrive.kql ├── OfficeActivity-FindNewOperations.kql ├── OfficeActivity-FindUserswhoDownloadedMalware.kql ├── OfficeActivity-GuestAddedtoMultipleTeams.kql ├── OfficeActivity-GuestDomainsHighestDownloads.kql ├── OfficeActivity-InboxRuleParse.kql ├── OfficeActivity-MalwareDetected.kql ├── OfficeActivity-MultipleFilesSharedtoGuests.kql ├── OfficeActivity-NewTeamsAppInstalled.kql ├── OfficeActivity-SharedTeamsChannelCreated.kql ├── OfficeActivity-SummarizeDownloadActivitybyGuests.kql ├── OfficeActivity-SummarizeGuestsAddedtoTeams.kql ├── OfficeActivity-SummarizeTeamsAppInstalls.kql ├── OfficeActivity-SummarizeTeamsCreatedDeleted.kql ├── OfficeActivity-SummaryofExternalActivity.kql ├── OfficeActivity-TeamsRoleChanges.kql ├── OfficeActivity-Top20RandomStats.kql ├── OfficeActivity-VisualisingAnomalousDownloads.kql ├── OfficeActivity-VisualizeDownloadsbyTrustType.kql ├── OfficeActivity-VisualizeDownloadsvsUploads.kql ├── OfficeActivity-VisualizeFileShareTopGuestDomains.kql ├── OfficeActivity-VisualizeFilesSharedtoGuests.kql ├── OfficeActivity-VisualizeGuestDownloadsfromO365withTrend.kql ├── OfficeActivity-VisualizeGuestsAddedRemovedfromTeams.kql ├── OfficeActivity-VisualizeGuestsRedeemedvsAddedtoTeams.kql └── OfficeActivity-VisualizeTopGuestDownloads.kql ├── Query Pack ├── README.md └── azuredeploy.json ├── README.md ├── Security Alert ├── SecurityAlert-DataUsage.kql ├── SecurityAlert-DefenderforIDRecon.kql ├── SecurityAlert-DefenderforIdParser.kql ├── SecurityAlert-DetectNewAlerts.kql ├── SecurityAlert-DeviceAlertwithLateralMovement.kql ├── SecurityAlert-EncodedPowershell.kql ├── SecurityAlert-FindBlastRadiusInfrequentCountry.kql ├── SecurityAlert-FindBlastRadiusofPasswordSpray.kql ├── SecurityAlert-FindMostPhishedUsers.kql ├── SecurityAlert-FindNetworkConnectionsSinkholedDomain.kql ├── SecurityAlert-FindRecipientsofPotentialPhishing.kql ├── SecurityAlert-FindSigninsforAnomalousToken.kql ├── SecurityAlert-FindUsersWhoSigninfromMaliciousIPs.kql ├── SecurityAlert-ForecastIdentityProtection.kql ├── SecurityAlert-MalwareDetectedinISO.kql ├── SecurityAlert-MultipleAlertsTriggered.kql ├── SecurityAlert-MultipleLowSeverityAlertsTriggered.kql ├── SecurityAlert-ParseMaliciousFileInfoandFindDeviceEvents.kql ├── SecurityAlert-PercentageofAlertsHighorCritical.kql ├── SecurityAlert-PossibleDNSDataTransfer.kql ├── SecurityAlert-PotentialPhishingDomainCommunication.kql ├── SecurityAlert-RetrieveEmailforSuspiciousEmailPatterns.kql ├── SecurityAlert-SummarizeSigninsafterMailboxRule.kql ├── SecurityAlert-SuspectedGoldenTicket.kql ├── SecurityAlert-Top20RandomStats.kql ├── SecurityAlert-VisualizeAlertsbyMITRE.kql ├── SecurityAlert-VisualizeAlertsbyProduct.kql ├── SecurityAlert-VisualizeMDEAlertSeverity.kql ├── SecurityAlert-VisualizeTopPhishingDomains.kql ├── SecurityAlert-VisualizeTotalAlertsvsUniqueAlerts.kql └── SecurityAlert-WhichTablesAreInUse.kql ├── Sentinel vs Advanced Hunting └── README.md ├── SysLog-DetectAnomaliesInEvents.kql ├── UEBA ├── IdentityInfo-FindAccountsPasswordNotRequired.kql ├── IdentityInfo-FindAccountswithsameEmployeeId.kql ├── IdentityInfo-FindAtRiskandHighBlastRadiusUsers.kql ├── IdentityInfo-FindGuestswithHighBlastRadius.kql ├── IdentityInfo-FindPrivAccountsHighBlastRadius.kql ├── IdentityInfo-FindUserswithmanyGroups.kql └── IdentityInfo-VisualizeBlastRadius.kql ├── Windows Security Events ├── SecEvents-FindDevicesNoLongerSendingLogs.kql ├── SecEvents-FindLateralMovementUsers.kql ├── SecEvents-PotentialRDPRecon.kql └── SecEvents-SummarizeLogonEvents.kql └── Workbooks ├── 365DaysofKQL-Day100.kql ├── README.md └── ReadmeImages ├── workbook1.png ├── workbook2.png ├── workbook3.png └── workbook4.png /AWS-PublicIPAddedtoInstance.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/AWS-PublicIPAddedtoInstance.kql -------------------------------------------------------------------------------- /Active Directory/AADPasswordProtection-AllEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/AADPasswordProtection-AllEvents.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-AccountPreAuthChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-AccountPreAuthChanges.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-AccountSensitivityChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-AccountSensitivityChanged.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-AccountSetPasswordNotRequired.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-AccountSetPasswordNotRequired.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-AnomalousIPCRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-AnomalousIPCRecon.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-DailySummaryofGroupAdditions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-DailySummaryofGroupAdditions.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-DetectPrivilegedAADAdminPasswordChange.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-DetectPrivilegedAADAdminPasswordChange.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-GPOInheritanceChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-GPOInheritanceChanged.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-LogonToDeviceListChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-LogonToDeviceListChanged.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-SummarizePrivilegesAssignedonLogon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-SummarizePrivilegesAssignedonLogon.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-SummarizeRDPActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-SummarizeRDPActivity.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-UACFlagParser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-UACFlagParser.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-UnconstrainedDelegationEnabled.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-UnconstrainedDelegationEnabled.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-UnconstrainedDelegationtoUser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-UnconstrainedDelegationtoUser.kql -------------------------------------------------------------------------------- /Active Directory/SecurityEvent-VisualizeAccountsCreatedDisabledDeleted.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Active Directory/SecurityEvent-VisualizeAccountsCreatedDisabledDeleted.kql -------------------------------------------------------------------------------- /Anamoly-HigherThanExpectedSysLog.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Anamoly-HigherThanExpectedSysLog.kql -------------------------------------------------------------------------------- /Azure AD Abuse Detection/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure AD Abuse Detection/README.md -------------------------------------------------------------------------------- /Azure Active Directory/Audit-AccessPackageCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-AccessPackageCreated.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-AdminActionsfromRiskyUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-AdminActionsfromRiskyUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-AllowedBlockedDomainListChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-AllowedBlockedDomainListChanges.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-AppProxySettoPassThrough.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-AppProxySettoPassThrough.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-BitLockerKeyRetrieved.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-BitLockerKeyRetrieved.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-CustomSecurityAttributeSet.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-CustomSecurityAttributeSet.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DailySummaryofAdminActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DailySummaryofAdminActivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectAADInternalsUse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectAADInternalsUse.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectActivePIMAssignment.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectActivePIMAssignment.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectAdvancedAuditingDisabled.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectAdvancedAuditingDisabled.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectConditionalAccessChangesAfterHours.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectConditionalAccessChangesAfterHours.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectCredentialAddedtoApp.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectCredentialAddedtoApp.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectFirstTimeCAPolicyChange.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectFirstTimeCAPolicyChange.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectFirstTimeServicePrincipalCreation.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectFirstTimeServicePrincipalCreation.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectNewCrossTenantSetting.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectNewCrossTenantSetting.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectNewPrivilegedGroupAdded.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectNewPrivilegedGroupAdded.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectPIMActivationsOutsideWorkingHours.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectPIMActivationsOutsideWorkingHours.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectSPAddedAfterHours.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectSPAddedAfterHours.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectSSPRAfterHours.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectSSPRAfterHours.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-DetectSSPRFromUnknownIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-DetectSSPRFromUnknownIP.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-EventsbyRiskyPrivilegedUser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-EventsbyRiskyPrivilegedUser.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-FindUsersFailingNewPasswordSSPR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-FindUsersFailingNewPasswordSSPR.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-FindUsersFailingSSPR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-FindUsersFailingSSPR.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-FirstTimePIMActivationOutsideWorkingHours.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-FirstTimePIMActivationOutsideWorkingHours.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-GroupAddedtoPIM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-GroupAddedtoPIM.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-GroupMFARegistrationbyPhoneNumber.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-GroupMFARegistrationbyPhoneNumber.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-GuestAddedtoPIM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-GuestAddedtoPIM.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-ListBulkActivities.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-ListBulkActivities.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-MFAChangesforPrivlegedUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-MFAChangesforPrivlegedUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-MultipleUsersSameMFANumber.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-MultipleUsersSameMFANumber.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-NamedLocationsChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-NamedLocationsChanged.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-NewDomainAdded.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-NewDomainAdded.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-NewOperations.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-NewOperations.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-NewPIMRoleActivated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-NewPIMRoleActivated.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-NewPrivilegedActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-NewPrivilegedActions.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-NewTenantCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-NewTenantCreated.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-PivotTableofPrivilegedUserActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-PivotTableofPrivilegedUserActions.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-RedirectURIChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-RedirectURIChanged.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-SummarizePIMRolesActivated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-SummarizePIMRolesActivated.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-SummarizeWeeklyPIM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-SummarizeWeeklyPIM.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-UserAddedandRemovedfromRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-UserAddedandRemovedfromRole.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-UserAddedtoRoleOutsidePIM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-UserAddedtoRoleOutsidePIM.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-UsersAddedtoDynamicGroups.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-UsersAddedtoDynamicGroups.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-UsersWhoHaventElevatedPIM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-UsersWhoHaventElevatedPIM.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-UserswithPrivRolesbutnoActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-UserswithPrivRolesbutnoActivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Audit-VisualizeSSPRSuccessvsFailure.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Audit-VisualizeSSPRSuccessvsFailure.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AADRiskEventCorrelation.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AADRiskEventCorrelation.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AdminUpdatingSecurityInfo.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AdminUpdatingSecurityInfo.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AlertGuestDeniedAccesstoMultipleApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AlertGuestDeniedAccesstoMultipleApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AlertsFromPrivilegedUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AlertsFromPrivilegedUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AnomalousConditionalAccessFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AnomalousConditionalAccessFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AppAccessMembersvsGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AppAccessMembersvsGuests.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ApplicationAccessReview.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ApplicationAccessReview.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AppsWithMoreGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AppsWithMoreGuests.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AppswithmostSFAPrivUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AppswithmostSFAPrivUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AuthStrengthMFASFAPercentage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AuthStrengthMFASFAPercentage.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-AuthenticationStrengthsParser: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-AuthenticationStrengthsParser -------------------------------------------------------------------------------- /Azure Active Directory/Identity-CAPoliciesNotinUse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-CAPoliciesNotinUse.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-CAPolicyStats.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-CAPolicyStats.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-CalculateRiskyApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-CalculateRiskyApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-CalculateRiskyUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-CalculateRiskyUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ConditionalAccessMostFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ConditionalAccessMostFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ConditionalAccessPivotTable.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ConditionalAccessPivotTable.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ConditionalAccessPoliciesNotinUse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ConditionalAccessPoliciesNotinUse.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-DailySummaryofUsersAddedtoAADGroups.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-DailySummaryofUsersAddedtoAADGroups.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-DetectMultipleDistinctRiskEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-DetectMultipleDistinctRiskEvents.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-DetectingFirstTimeAccesstoAzureManagement.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-DetectingFirstTimeAccesstoAzureManagement.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-DeviceCodePhishing.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-DeviceCodePhishing.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindAppswithNoSignins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindAppswithNoSignins.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindCAFailurePercentage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindCAFailurePercentage.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindGuestsAccessingMostApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindGuestsAccessingMostApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindInactiveManagedIdentities.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindInactiveManagedIdentities.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindInactiveServicePrincipals.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindInactiveServicePrincipals.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindMultipleCASuccesses.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindMultipleCASuccesses.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindNewEnterpriseApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindNewEnterpriseApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindUsersMultipleCountriesSameDay.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindUsersMultipleCountriesSameDay.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FindUsersOnlyusingTextforMFA.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FindUsersOnlyusingTextforMFA.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FirstPartyApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FirstPartyApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FirstTimeLegacyAuth.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FirstTimeLegacyAuth.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FirstTimeRoleAddition.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FirstTimeRoleAddition.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-FirstTimeSPBlockedbyCA.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-FirstTimeSPBlockedbyCA.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-GuestAddedtoAADRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-GuestAddedtoAADRole.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-GuestInvitesSentvsRedeemed.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-GuestInvitesSentvsRedeemed.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-GuestTypeParser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-GuestTypeParser.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-GuestsAccessingNewApplications.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-GuestsAccessingNewApplications.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-GuestsInvitedbutnotRedeemed.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-GuestsInvitedbutnotRedeemed.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-HighMediumRealtimeRiskforAADRoles.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-HighMediumRealtimeRiskforAADRoles.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-InactiveGuestAccounts.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-InactiveGuestAccounts.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-InactivePrivilegedUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-InactivePrivilegedUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-LegacyAuthPivotTable.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-LegacyAuthPivotTable.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MFAChangesfromunknownIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MFAChangesfromunknownIP.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MFACountPerUser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MFACountPerUser.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MFAMethodsPivotTable.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MFAMethodsPivotTable.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MFANewLocationandMethod.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MFANewLocationandMethod.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MFAPercentageperapp.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MFAPercentageperapp.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MFARegistrationfollowedbySSPR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MFARegistrationfollowedbySSPR.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ManagedIdentityAccessingNewResources.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ManagedIdentityAccessingNewResources.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ManagedIdentitySummaryofResources.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ManagedIdentitySummaryofResources.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MuiltipleConditionalAccessFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MuiltipleConditionalAccessFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MultipleCAFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MultipleCAFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-MultipleMFAFailuresPrivUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-MultipleMFAFailuresPrivUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ParseIPInfofromSecurityAlert.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ParseIPInfofromSecurityAlert.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ParseUserAgent.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ParseUserAgent.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-PotentialAiTM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-PotentialAiTM.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-PotentialAppRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-PotentialAppRecon.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-PotentialMFANumberMatchingAbuse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-PotentialMFANumberMatchingAbuse.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-PotentialMFASpam.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-PotentialMFASpam.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-RiskEventfollowedbyMFAchanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-RiskEventfollowedbyMFAchanges.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-RiskyMFARequirementfollowedbyMFAregistration.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-RiskyMFARequirementfollowedbyMFAregistration.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-RiskySigninFollowedbyAdminMFAChange.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-RiskySigninFollowedbyAdminMFAChange.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-RoleAddedtoServicePrincipal.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-RoleAddedtoServicePrincipal.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SSPRfollowedbyRiskySignin.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SSPRfollowedbyRiskySignin.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SecurityAlertWithNewAgent.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SecurityAlertWithNewAgent.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalCreatedbyManagedIdentity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalCreatedbyManagedIdentity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalExpiredSecret.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalExpiredSecret.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalSigninErrors.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalSigninErrors.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalSigninfromnewIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalSigninfromnewIP.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalSigninsbyIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalSigninsbyIP.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalSummaryofResources.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalSummaryofResources.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalsMultipleLocations.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalsMultipleLocations.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalsOnlyExpiredSecret.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalsOnlyExpiredSecret.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ServicePrincipalswithSingleIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ServicePrincipalswithSingleIP.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SingleFactorConnectionstoAzure.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SingleFactorConnectionstoAzure.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SingleFactorSigninsFromPrivUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SingleFactorSigninsFromPrivUsers.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeAccountInactivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeAccountInactivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeAppUsageMonthonMonth.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeAppUsageMonthonMonth.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeConditionalAccessPoliciesfailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeConditionalAccessPoliciesfailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeGuestConditionalAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeGuestConditionalAccess.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeGuestDomainbyType.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeGuestDomainbyType.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeGuestInactivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeGuestInactivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeGuestTenantActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeGuestTenantActivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeInternetExplorerSignins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeInternetExplorerSignins.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeLegacyAuth.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeLegacyAuth.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeLocationSignins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeLocationSignins.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeLoginInfofromMaliciousIP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeLoginInfofromMaliciousIP.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeMFAFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeMFAFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeMFATop20Apps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeMFATop20Apps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeOutboundGuestActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeOutboundGuestActivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeSigninInfoafterMFAconfig.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeSigninInfoafterMFAconfig.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeSuspiciousIPAddresses.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeSuspiciousIPAddresses.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-SummarizeUnknownLocationnoMFA.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-SummarizeUnknownLocationnoMFA.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-ThirdPartyMFAFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-ThirdPartyMFAFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-Top20AppswithnoCA.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-Top20AppswithnoCA.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-Top20RandomStats.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-Top20RandomStats.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-Top20RiskyLocations.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-Top20RiskyLocations.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-UserReportedSuspiciousMFA.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-UserReportedSuspiciousMFA.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-UserTryingtoAccessMultipleApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-UserTryingtoAccessMultipleApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualStdDevofMFAFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualStdDevofMFAFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeConditionalAccessFailures.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeConditionalAccessFailures.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeControlsvsNoControls.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeControlsvsNoControls.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeDistinctInboundGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeDistinctInboundGuests.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeExternalAADGuestsvsExternalGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeExternalAADGuestsvsExternalGuests.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeGuestAppAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeGuestAppAccess.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeGuestDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeGuestDomains.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeGuestRedemptionswithTrend.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeGuestRedemptionswithTrend.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeInboundvsOutboundGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeInboundvsOutboundGuests.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeKnownvsUnknownLocation.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeKnownvsUnknownLocation.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeLegacyAuth.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeLegacyAuth.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeLegacyAuthMethods.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeLegacyAuthMethods.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeMFAChallengevsPreviouslySatisfied.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeMFAChallengevsPreviouslySatisfied.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeMFAMethods.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeMFAMethods.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeMFAMethodsovertime.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeMFAMethodsovertime.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizePasswordvsPasswordless.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizePasswordvsPasswordless.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeRiskEventsoverTime.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeRiskEventsoverTime.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeSSPR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeSSPR.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeSigninsbyDeviceTrust.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeSigninsbyDeviceTrust.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeTotalvsDistinctsignins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeTotalvsDistinctsignins.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-VisualizeWorldMap.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-VisualizeWorldMap.kql -------------------------------------------------------------------------------- /Azure Active Directory/Identity-YourUsersSigningIntoOtherTenantsAsGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/Identity-YourUsersSigningIntoOtherTenantsAsGuests.kql -------------------------------------------------------------------------------- /Azure Active Directory/MSGraph-GuestLogonQuery: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/MSGraph-GuestLogonQuery -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-ApplicationPermissionsGrant.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-ApplicationPermissionsGrant.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-ApporDelegatedAccessGranted.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-ApporDelegatedAccessGranted.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-DelegatedPermissionsGrant.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-DelegatedPermissionsGrant.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-DetectingFirstTimeCredentialAddition.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-DetectingFirstTimeCredentialAddition.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-FirstTimeAppConsent.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-FirstTimeAppConsent.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-InactiveServicePrincipalswithPrivilege.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-InactiveServicePrincipalswithPrivilege.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-PermissionsAddedRemoved.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-PermissionsAddedRemoved.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-SummarizeCurrentAppPermissions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-SummarizeCurrentAppPermissions.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-SummarizePermissionGrantedtoApps.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-SummarizePermissionGrantedtoApps.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-SummarizeServicePrincipalInactivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-SummarizeServicePrincipalInactivity.kql -------------------------------------------------------------------------------- /Azure Active Directory/OAuth-TrackEventsonServicePrincipals.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/OAuth-TrackEventsonServicePrincipals.kql -------------------------------------------------------------------------------- /Azure Active Directory/PIM-UserAssignedRolebutHasntActivated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/PIM-UserAssignedRolebutHasntActivated.kql -------------------------------------------------------------------------------- /Azure Active Directory/SSPR-PasswordResetInitiatedviaMSGraph.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Active Directory/SSPR-PasswordResetInitiatedviaMSGraph.kql -------------------------------------------------------------------------------- /Azure Activity/Azure-ResourceLockAddedorRemoved.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Activity/Azure-ResourceLockAddedorRemoved.kql -------------------------------------------------------------------------------- /Azure Activity/Azure-ServicePrincipalAddedtoAzure.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Activity/Azure-ServicePrincipalAddedtoAzure.kql -------------------------------------------------------------------------------- /Azure Activity/AzureLogAnalytics-DetectwhenWorkspaceKeysareRead.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Activity/AzureLogAnalytics-DetectwhenWorkspaceKeysareRead.kql -------------------------------------------------------------------------------- /Azure Activity/AzureStorage-FirstTimeStorageKeyEnumeration.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Activity/AzureStorage-FirstTimeStorageKeyEnumeration.kql -------------------------------------------------------------------------------- /Azure Activity/AzureVM-DiskImageURLGenerated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Activity/AzureVM-DiskImageURLGenerated.kql -------------------------------------------------------------------------------- /Azure Activity/Sentinel-DetectAccessAddedtoWorkspace.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Activity/Sentinel-DetectAccessAddedtoWorkspace.kql -------------------------------------------------------------------------------- /Azure Bastion/Bastion-AuditUsage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Bastion/Bastion-AuditUsage.kql -------------------------------------------------------------------------------- /Azure Bastion/Bastion-SummarizeAccountAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Bastion/Bastion-SummarizeAccountAccess.kql -------------------------------------------------------------------------------- /Azure Diagnostics/AppGateway-MostAttackedHostName.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Diagnostics/AppGateway-MostAttackedHostName.kql -------------------------------------------------------------------------------- /Azure Diagnostics/AppGateway-VisualizeWAFTraffic.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Diagnostics/AppGateway-VisualizeWAFTraffic.kql -------------------------------------------------------------------------------- /Azure Diagnostics/CVE-2021-44228-2.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Diagnostics/CVE-2021-44228-2.kql -------------------------------------------------------------------------------- /Azure Diagnostics/CVE-2021-44228.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Diagnostics/CVE-2021-44228.kql -------------------------------------------------------------------------------- /Azure Diagnostics/aad_pim_integration: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Diagnostics/aad_pim_integration -------------------------------------------------------------------------------- /Azure Diagnostics/code_sample.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Diagnostics/code_sample.md -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-AccessManipulation.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-AccessManipulation.yaml -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-AnomalousKeyVaultAccessbyApp.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-AnomalousKeyVaultAccessbyApp.kql -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-AnomalousKeyVaultAccessbyUser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-AnomalousKeyVaultAccessbyUser.kql -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-DefaultFirewallRuleSettoAllow.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-DefaultFirewallRuleSettoAllow.kql -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-IPAddedtoFirewall.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-IPAddedtoFirewall.kql -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-ObjectIDAddedtoAccessPolicy.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-ObjectIDAddedtoAccessPolicy.kql -------------------------------------------------------------------------------- /Azure Key Vault/KeyVault-PotentiallySensitiveOperations.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Key Vault/KeyVault-PotentiallySensitiveOperations.kql -------------------------------------------------------------------------------- /Azure Resource Graph/ARG-LogStatusOfWindowsDevices.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Resource Graph/ARG-LogStatusOfWindowsDevices.kql -------------------------------------------------------------------------------- /Azure Sentinel Incidents/SecurityIncident-DaysSinceLastIncident.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Sentinel Incidents/SecurityIncident-DaysSinceLastIncident.kql -------------------------------------------------------------------------------- /Azure Sentinel Incidents/SecurityIncident-PlaybookActivities.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Sentinel Incidents/SecurityIncident-PlaybookActivities.kql -------------------------------------------------------------------------------- /Azure Sentinel Incidents/SecurityIncident-VisualizeIncidentSeverity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Sentinel Incidents/SecurityIncident-VisualizeIncidentSeverity.kql -------------------------------------------------------------------------------- /Azure Sentinel Incidents/SecurityIncident-VisualizeIncidentswithTrend.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Sentinel Incidents/SecurityIncident-VisualizeIncidentswithTrend.kql -------------------------------------------------------------------------------- /Azure Sentinel Incidents/SecurityIncident-VisualizeMitreAtt&ck.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Azure Sentinel Incidents/SecurityIncident-VisualizeMitreAtt&ck.kql -------------------------------------------------------------------------------- /CISA Insights/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/CISA Insights/README.md -------------------------------------------------------------------------------- /CISA Insights/dashboard-CISA KEV Insights.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/CISA Insights/dashboard-CISA KEV Insights.json -------------------------------------------------------------------------------- /DNS/DNS-FindDevicesThatHaveQueriedSuspiciousDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/DNS/DNS-FindDevicesThatHaveQueriedSuspiciousDomains.kql -------------------------------------------------------------------------------- /DNS/DnsEvents-FindStaleDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/DNS/DnsEvents-FindStaleDomains.kql -------------------------------------------------------------------------------- /Data Management/365-Visualize365DaysofKql.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Data Management/365-Visualize365DaysofKql.kql -------------------------------------------------------------------------------- /Data Management/Data-CalculatePercentageperTable.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Data Management/Data-CalculatePercentageperTable.kql -------------------------------------------------------------------------------- /Data Management/Data-CalculateTableSizeChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Data Management/Data-CalculateTableSizeChanges.kql -------------------------------------------------------------------------------- /Data Management/Data-DetectAnomalousDataIngestion.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Data Management/Data-DetectAnomalousDataIngestion.kql -------------------------------------------------------------------------------- /Data Management/Data-NewTablesFound.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Data Management/Data-NewTablesFound.kql -------------------------------------------------------------------------------- /Data Management/Data-TableSizePerMDEDevice.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Data Management/Data-TableSizePerMDEDevice.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-DetectAADInternalsUse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-DetectAADInternalsUse.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-DetectAdminGrantingOwnAccesstoMailbox.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-DetectAdminGrantingOwnAccesstoMailbox.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-DetectMailboxForward.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-DetectMailboxForward.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-ExchangeOnlineEventsduringRiskySignin.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-ExchangeOnlineEventsduringRiskySignin.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-ExtractPhoneNumber.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-ExtractPhoneNumber.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-FindAzureADAdminActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-FindAzureADAdminActions.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-FindNewEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-FindNewEvents.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-FindUserSubmittedPhishingSpam.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-FindUserSubmittedPhishingSpam.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-FormPhishingStatusChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-FormPhishingStatusChanged.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-PaidTrialStarted.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-PaidTrialStarted.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-PivotTableAdminActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-PivotTableAdminActions.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-PivotTableAdminOperations.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-PivotTableAdminOperations.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-PotentialConsentPhishing.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-PotentialConsentPhishing.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-RiskEventFollowedbyEmailForward.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-RiskEventFollowedbyEmailForward.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-RiskEventFollowedbyMailboxRuleChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-RiskEventFollowedbyMailboxRuleChanges.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-SuspiciousMailboxRuleCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-SuspiciousMailboxRuleCreated.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-TeamsAppInstalled.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-TeamsAppInstalled.kql -------------------------------------------------------------------------------- /Defender for Cloud Apps/DCA-VisualizeEmojiReactions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Cloud Apps/DCA-VisualizeEmojiReactions.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Anamoly-USBFileCopiesfromUserswithAnamolousDownloads.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Anamoly-USBFileCopiesfromUserswithAnamolousDownloads.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-ASRAudit.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-ASRAudit.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-ASRLsassAudit.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-ASRLsassAudit.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-ASROfficeChildProcessAudit.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-ASROfficeChildProcessAudit.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-ASRSummary.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-ASRSummary.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-AccountswithMostLocalAdmin.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-AccountswithMostLocalAdmin.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-CreateSetofLocalAdminsperDevice.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-CreateSetofLocalAdminsperDevice.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectAnomalousRDPConnections.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectAnomalousRDPConnections.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectCertUtilConnectingExternally.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectCertUtilConnectingExternally.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectCredentialBackup.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectCredentialBackup.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectEncodedPowershellandDecode.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectEncodedPowershellandDecode.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectFirstTimeTeamviewerUsage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectFirstTimeTeamviewerUsage.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectInboundPublicRDP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectInboundPublicRDP.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectInternaltoExternalTeamviewer.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectInternaltoExternalTeamviewer.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectInvalidCertificates.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectInvalidCertificates.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectLocalAdminsWhoHaventElevated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectLocalAdminsWhoHaventElevated.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectLocalUserCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectLocalUserCreated.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectLocaltoPublicRDP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectLocaltoPublicRDP.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectLogonsPriortoMDEAlert.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectLogonsPriortoMDEAlert.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectMacroConnectingtoInternet.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectMacroConnectingtoInternet.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectMacroUsage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectMacroUsage.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectMultipleFailedRemoteLogons.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectMultipleFailedRemoteLogons.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectPotentialNetworkRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectPotentialNetworkRecon.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectPuttyConnectingPublic.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectPuttyConnectingPublic.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectRDPRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectRDPRecon.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectRegistryTampering.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectRegistryTampering.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectSecurityLogCleared.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectSecurityLogCleared.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-DetectURLopenedfromISOfile.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-DetectURLopenedfromISOfile.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FileDownloadedfromO365thenCopiedtoUSB.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FileDownloadedfromO365thenCopiedtoUSB.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FilesCopiedtoUSBCertainGroups.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FilesCopiedtoUSBCertainGroups.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindDeviceWithoutCurrentAVScan.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindDeviceWithoutCurrentAVScan.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindDevicesMostASR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindDevicesMostASR.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindDevicesNoLongerSendingEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindDevicesNoLongerSendingEvents.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindDevicesToOnboard.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindDevicesToOnboard.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindDeviceswithmostSmartScreenEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindDeviceswithmostSmartScreenEvents.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindDeviceswithnoASR.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindDeviceswithnoASR.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindNetworkRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindNetworkRecon.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindNewDevices.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindNewDevices.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindNewEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindNewEvents.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FindUsersWhoClickedonPhishing.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FindUsersWhoClickedonPhishing.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-FirstTimeWhoAmI.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-FirstTimeWhoAmI.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-InterestingPortsOpened.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-InterestingPortsOpened.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-KnownRansomwareVuln.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-KnownRansomwareVuln.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-LocalUserswithAdmin.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-LocalUserswithAdmin.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-NewASREvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-NewASREvents.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-NewHashAccessingLSASS.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-NewHashAccessingLSASS.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-ParseURL.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-ParseURL.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-PotentialDNSTunnelling.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-PotentialDNSTunnelling.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-PowerShellExecutionModeChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-PowerShellExecutionModeChanged.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-PowershellConnectingtoInternet.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-PowershellConnectingtoInternet.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-ProcessModifiedPrimaryToken.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-ProcessModifiedPrimaryToken.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-PublicPort22Allowed.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-PublicPort22Allowed.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SSHTrafficOnNonStandardPort.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SSHTrafficOnNonStandardPort.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeLDAPandLDAPStraffic.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeLDAPandLDAPStraffic.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeLocalGroupAdditions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeLocalGroupAdditions.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeLocalLogonActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeLocalLogonActivity.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeMacroUsage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeMacroUsage.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeRDPConnections.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeRDPConnections.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeSSHPortOpenedInbound.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeSSHPortOpenedInbound.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeSmartScreenPhishingDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeSmartScreenPhishingDomains.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummarizeSmartScreenUntrustedFiles.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummarizeSmartScreenUntrustedFiles.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-SummaryofDeviceLogons.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-SummaryofDeviceLogons.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-Top20DepartmentsCopyingDatatoUSBbyCount.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-Top20DepartmentsCopyingDatatoUSBbyCount.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-Top20DepartmentsCopyingDatatoUSBbySize.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-Top20DepartmentsCopyingDatatoUSBbySize.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-Top20RandomActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-Top20RandomActions.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-UserAddedasLocalAdmin.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-UserAddedasLocalAdmin.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeASREventswithtrend.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeASREventswithtrend.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeMaliciousSmartScreenURLs.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeMaliciousSmartScreenURLs.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeMostCommonISOFiles.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeMostCommonISOFiles.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeOSBuildspermonth.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeOSBuildspermonth.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizePort22Proccesses.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizePort22Proccesses.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeRDPClients.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeRDPClients.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeRemotePowerShellURLs.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeRemotePowerShellURLs.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-VisualizeVolumeofDataCopiedtoUSB.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-VisualizeVolumeofDataCopiedtoUSB.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-Windows11DevicesandUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-Windows11DevicesandUsers.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-WindowsVersionPivotTable.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-WindowsVersionPivotTable.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Device-msdtPotentialExploit.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Device-msdtPotentialExploit.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Firewall Queries/Devices-NoHTTP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Firewall Queries/Devices-NoHTTP.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Firewall Queries/Devices-NoRDP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Firewall Queries/Devices-NoRDP.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Firewall Queries/Devices-NoSMB.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Firewall Queries/Devices-NoSMB.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Firewall Queries/Devices-NoSSH.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Firewall Queries/Devices-NoSSH.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Firewall Queries/Devices-SummarizeInboundTraffic.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Firewall Queries/Devices-SummarizeInboundTraffic.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Vuln-CVE-2021-40444.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Vuln-CVE-2021-40444.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Vuln-HighestExposedDevices.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Vuln-HighestExposedDevices.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Vuln-InternetExposedDevices.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Vuln-InternetExposedDevices.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Vuln-KnownExploitableVuln.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Vuln-KnownExploitableVuln.kql -------------------------------------------------------------------------------- /Defender for Endpoint/Vuln-PublicFacingDeviceswithKnownExploitedVuln.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Endpoint/Vuln-PublicFacingDeviceswithKnownExploitedVuln.kql -------------------------------------------------------------------------------- /Defender for Identity/IdentityDirectoryEvents-AccountDelegationChanged.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Identity/IdentityDirectoryEvents-AccountDelegationChanged.kql -------------------------------------------------------------------------------- /Defender for Identity/IdentityDirectoryEvents-EncryptionChange.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Identity/IdentityDirectoryEvents-EncryptionChange.kql -------------------------------------------------------------------------------- /Defender for Identity/IdentityDirectoryEvents-PasswordSettoNeverExpire.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Identity/IdentityDirectoryEvents-PasswordSettoNeverExpire.kql -------------------------------------------------------------------------------- /Defender for Identity/IdentityLogonEvents-SummarizeClearTextLDAP.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Identity/IdentityLogonEvents-SummarizeClearTextLDAP.kql -------------------------------------------------------------------------------- /Defender for Identity/IdentityLogonEvents-SummarizeNTLM.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Defender for Identity/IdentityLogonEvents-SummarizeNTLM.kql -------------------------------------------------------------------------------- /Diagrams/ConditionalAccess-LogicApp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/ConditionalAccess-LogicApp.png -------------------------------------------------------------------------------- /Diagrams/SentinelTableMapping.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/SentinelTableMapping.png -------------------------------------------------------------------------------- /Diagrams/deploytoazure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/deploytoazure.png -------------------------------------------------------------------------------- /Diagrams/kql-pipe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/kql-pipe.png -------------------------------------------------------------------------------- /Diagrams/parse.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/parse.png -------------------------------------------------------------------------------- /Diagrams/parse1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/parse1.png -------------------------------------------------------------------------------- /Diagrams/parse2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/parse2.png -------------------------------------------------------------------------------- /Diagrams/parse3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/parse3.png -------------------------------------------------------------------------------- /Diagrams/parse4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/parse4.png -------------------------------------------------------------------------------- /Diagrams/parse5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/parse5.png -------------------------------------------------------------------------------- /Diagrams/querypack1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/querypack1.png -------------------------------------------------------------------------------- /Diagrams/querypack2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/querypack2.png -------------------------------------------------------------------------------- /Diagrams/querypack3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/querypack3.png -------------------------------------------------------------------------------- /Diagrams/querypack4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/querypack4.png -------------------------------------------------------------------------------- /Diagrams/querypack5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/querypack5.png -------------------------------------------------------------------------------- /Diagrams/render-areachart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-areachart.png -------------------------------------------------------------------------------- /Diagrams/render-barchart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-barchart.png -------------------------------------------------------------------------------- /Diagrams/render-columnchart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-columnchart.png -------------------------------------------------------------------------------- /Diagrams/render-piechart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-piechart.png -------------------------------------------------------------------------------- /Diagrams/render-timebarchart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timebarchart.png -------------------------------------------------------------------------------- /Diagrams/render-timechart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timechart.png -------------------------------------------------------------------------------- /Diagrams/render-timecolumn-outlookonedrivesharepoint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timecolumn-outlookonedrivesharepoint.png -------------------------------------------------------------------------------- /Diagrams/render-timecolumnchart.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timecolumnchart.png -------------------------------------------------------------------------------- /Diagrams/render-timecolumnchartnames.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timecolumnchartnames.png -------------------------------------------------------------------------------- /Diagrams/render-timecolumnchartstacked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timecolumnchartstacked.png -------------------------------------------------------------------------------- /Diagrams/render-timecolumnchartunstacked.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/render-timecolumnchartunstacked.png -------------------------------------------------------------------------------- /Diagrams/split1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/split1.png -------------------------------------------------------------------------------- /Diagrams/split2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/split2.png -------------------------------------------------------------------------------- /Diagrams/split3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Diagrams/split3.png -------------------------------------------------------------------------------- /Duo-LogParserwithIdentityInfo.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Duo-LogParserwithIdentityInfo.kql -------------------------------------------------------------------------------- /Functions/Function-ADGroupChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-ADGroupChanges.kql -------------------------------------------------------------------------------- /Functions/Function-AzureKeyVaultAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-AzureKeyVaultAccess.kql -------------------------------------------------------------------------------- /Functions/Function-CiscoASAParser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-CiscoASAParser.kql -------------------------------------------------------------------------------- /Functions/Function-DeviceLookup.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-DeviceLookup.kql -------------------------------------------------------------------------------- /Functions/Function-FailedActiveDirectoryLogons.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-FailedActiveDirectoryLogons.kql -------------------------------------------------------------------------------- /Functions/Function-GroupChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-GroupChanges.kql -------------------------------------------------------------------------------- /Functions/Function-GuestDomainInfo.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-GuestDomainInfo.kql -------------------------------------------------------------------------------- /Functions/Function-IdentityInfowithSigninRisk.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-IdentityInfowithSigninRisk.kql -------------------------------------------------------------------------------- /Functions/Function-NewDetections.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-NewDetections.kql -------------------------------------------------------------------------------- /Functions/Function-PrivilegeChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-PrivilegeChanges.kql -------------------------------------------------------------------------------- /Functions/Function-RetrieveAllDCs.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-RetrieveAllDCs.kql -------------------------------------------------------------------------------- /Functions/Function-TeamsAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-TeamsAccess.kql -------------------------------------------------------------------------------- /Functions/Function-UserInvestigation.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-UserInvestigation.kql -------------------------------------------------------------------------------- /Functions/Function-UserLogins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-UserLogins.kql -------------------------------------------------------------------------------- /Functions/Function-UserLookup.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/Function-UserLookup.kql -------------------------------------------------------------------------------- /Functions/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/README.md -------------------------------------------------------------------------------- /Functions/ReadmeImages/function1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/ReadmeImages/function1.png -------------------------------------------------------------------------------- /Functions/ReadmeImages/function2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/ReadmeImages/function2.png -------------------------------------------------------------------------------- /Functions/ReadmeImages/function3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/ReadmeImages/function3.png -------------------------------------------------------------------------------- /Functions/ReadmeImages/function4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/ReadmeImages/function4.png -------------------------------------------------------------------------------- /Functions/ReadmeImages/function5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Functions/ReadmeImages/function5.png -------------------------------------------------------------------------------- /Heartbeat/Heartbeat-NoHeartbeatinTimeframe.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Heartbeat/Heartbeat-NoHeartbeatinTimeframe.kql -------------------------------------------------------------------------------- /Heartbeat/Heartbeat-VisualizeDistinctComputersperMonth.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Heartbeat/Heartbeat-VisualizeDistinctComputersperMonth.kql -------------------------------------------------------------------------------- /Information Protection/IP-LabelDowngradeThenCopytoUSB.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Information Protection/IP-LabelDowngradeThenCopytoUSB.kql -------------------------------------------------------------------------------- /Information Protection/IP-LabelDowngradeThenEmail.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Information Protection/IP-LabelDowngradeThenEmail.kql -------------------------------------------------------------------------------- /Intune/IntuneDevices-FindDetailsofNonCompliantDevices.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Intune/IntuneDevices-FindDetailsofNonCompliantDevices.kql -------------------------------------------------------------------------------- /Intune/IntuneDevices-RetrieveDeviceInfoAfterWipe.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Intune/IntuneDevices-RetrieveDeviceInfoAfterWipe.kql -------------------------------------------------------------------------------- /Intune/IntuneDevices-VisualizeDeviceComplianceovertime.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Intune/IntuneDevices-VisualizeDeviceComplianceovertime.kql -------------------------------------------------------------------------------- /Intune/IntuneDevices-VisualizeDeviceJoinTypebyWeek.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Intune/IntuneDevices-VisualizeDeviceJoinTypebyWeek.kql -------------------------------------------------------------------------------- /Intune/IntuneDevices-VisualizeLastContact.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Intune/IntuneDevices-VisualizeLastContact.kql -------------------------------------------------------------------------------- /Intune/IntuneDevices-VisualizeMatchingDeviceIds.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Intune/IntuneDevices-VisualizeMatchingDeviceIds.kql -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/LICENSE -------------------------------------------------------------------------------- /Log Analytics/LAQuery-FindQueryStats.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Log Analytics/LAQuery-FindQueryStats.kql -------------------------------------------------------------------------------- /Log Analytics/LAQuery-NewUsersQueryingData.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Log Analytics/LAQuery-NewUsersQueryingData.kql -------------------------------------------------------------------------------- /Log Analytics/LAQuery-UsersvsAutomationQueryStats.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Log Analytics/LAQuery-UsersvsAutomationQueryStats.kql -------------------------------------------------------------------------------- /Log Analytics/LAQuery-VisualizeQueriesRun.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Log Analytics/LAQuery-VisualizeQueriesRun.kql -------------------------------------------------------------------------------- /Office 365/Audit-DailySummaryofO365AdminActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/Audit-DailySummaryofO365AdminActivity.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-FindEmailswithPotentialPhishingURL.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-FindEmailswithPotentialPhishingURL.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-FindUsersWhoReadMaliciousEmail.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-FindUsersWhoReadMaliciousEmail.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-MacroReceivedbyEmail.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-MacroReceivedbyEmail.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-MostBlockedDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-MostBlockedDomains.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-PotentialNewSpammer.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-PotentialNewSpammer.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-VisualizeBlockedEmailDeviation.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-VisualizeBlockedEmailDeviation.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-VisualizeBlockedEmailPercentage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-VisualizeBlockedEmailPercentage.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-VisualizeDeliveryActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-VisualizeDeliveryActions.kql -------------------------------------------------------------------------------- /Office 365/EmailEvents-VisualizePostDeliveryActions.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/EmailEvents-VisualizePostDeliveryActions.kql -------------------------------------------------------------------------------- /Office 365/Office-DownloadsfromGuestafterAddedtoTeams.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/Office-DownloadsfromGuestafterAddedtoTeams.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-AnomalousDownloadsfromGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-AnomalousDownloadsfromGuests.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-AnomalousGuestFileShares.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-AnomalousGuestFileShares.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-CalculatePercentageofDownloadsUntrustedDevices.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-CalculatePercentageofDownloadsUntrustedDevices.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-CalculatePercentageofDownloadsforTopGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-CalculatePercentageofDownloadsforTopGuests.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-CalculatePercentageofDownloadsperDomain.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-CalculatePercentageofDownloadsperDomain.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-CalculateTimetoDetectMalware.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-CalculateTimetoDetectMalware.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-DetectEmailsReadbyAdmins.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-DetectEmailsReadbyAdmins.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-DetectFullMailboxAccess.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-DetectFullMailboxAccess.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-DetectNewExchangeAdminRole.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-DetectNewExchangeAdminRole.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-DetectUsermadeOwneronmultipleTeams.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-DetectUsermadeOwneronmultipleTeams.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-ExchangeScopingPolicyApplied.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-ExchangeScopingPolicyApplied.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-FilesSharedtoGuestsfromOnedrive.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-FilesSharedtoGuestsfromOnedrive.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-FindNewOperations.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-FindNewOperations.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-FindUserswhoDownloadedMalware.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-FindUserswhoDownloadedMalware.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-GuestAddedtoMultipleTeams.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-GuestAddedtoMultipleTeams.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-GuestDomainsHighestDownloads.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-GuestDomainsHighestDownloads.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-InboxRuleParse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-InboxRuleParse.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-MalwareDetected.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-MalwareDetected.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-MultipleFilesSharedtoGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-MultipleFilesSharedtoGuests.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-NewTeamsAppInstalled.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-NewTeamsAppInstalled.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-SharedTeamsChannelCreated.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-SharedTeamsChannelCreated.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-SummarizeDownloadActivitybyGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-SummarizeDownloadActivitybyGuests.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-SummarizeGuestsAddedtoTeams.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-SummarizeGuestsAddedtoTeams.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-SummarizeTeamsAppInstalls.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-SummarizeTeamsAppInstalls.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-SummarizeTeamsCreatedDeleted.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-SummarizeTeamsCreatedDeleted.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-SummaryofExternalActivity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-SummaryofExternalActivity.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-TeamsRoleChanges.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-TeamsRoleChanges.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-Top20RandomStats.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-Top20RandomStats.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualisingAnomalousDownloads.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualisingAnomalousDownloads.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeDownloadsbyTrustType.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeDownloadsbyTrustType.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeDownloadsvsUploads.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeDownloadsvsUploads.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeFileShareTopGuestDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeFileShareTopGuestDomains.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeFilesSharedtoGuests.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeFilesSharedtoGuests.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeGuestDownloadsfromO365withTrend.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeGuestDownloadsfromO365withTrend.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeGuestsAddedRemovedfromTeams.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeGuestsAddedRemovedfromTeams.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeGuestsRedeemedvsAddedtoTeams.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeGuestsRedeemedvsAddedtoTeams.kql -------------------------------------------------------------------------------- /Office 365/OfficeActivity-VisualizeTopGuestDownloads.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Office 365/OfficeActivity-VisualizeTopGuestDownloads.kql -------------------------------------------------------------------------------- /Query Pack/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Query Pack/README.md -------------------------------------------------------------------------------- /Query Pack/azuredeploy.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Query Pack/azuredeploy.json -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/README.md -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-DataUsage.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-DataUsage.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-DefenderforIDRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-DefenderforIDRecon.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-DefenderforIdParser.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-DefenderforIdParser.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-DetectNewAlerts.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-DetectNewAlerts.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-DeviceAlertwithLateralMovement.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-DeviceAlertwithLateralMovement.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-EncodedPowershell.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-EncodedPowershell.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindBlastRadiusInfrequentCountry.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindBlastRadiusInfrequentCountry.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindBlastRadiusofPasswordSpray.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindBlastRadiusofPasswordSpray.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindMostPhishedUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindMostPhishedUsers.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindNetworkConnectionsSinkholedDomain.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindNetworkConnectionsSinkholedDomain.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindRecipientsofPotentialPhishing.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindRecipientsofPotentialPhishing.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindSigninsforAnomalousToken.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindSigninsforAnomalousToken.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-FindUsersWhoSigninfromMaliciousIPs.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-FindUsersWhoSigninfromMaliciousIPs.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-ForecastIdentityProtection.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-ForecastIdentityProtection.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-MalwareDetectedinISO.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-MalwareDetectedinISO.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-MultipleAlertsTriggered.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-MultipleAlertsTriggered.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-MultipleLowSeverityAlertsTriggered.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-MultipleLowSeverityAlertsTriggered.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-ParseMaliciousFileInfoandFindDeviceEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-ParseMaliciousFileInfoandFindDeviceEvents.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-PercentageofAlertsHighorCritical.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-PercentageofAlertsHighorCritical.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-PossibleDNSDataTransfer.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-PossibleDNSDataTransfer.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-PotentialPhishingDomainCommunication.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-PotentialPhishingDomainCommunication.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-RetrieveEmailforSuspiciousEmailPatterns.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-RetrieveEmailforSuspiciousEmailPatterns.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-SummarizeSigninsafterMailboxRule.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-SummarizeSigninsafterMailboxRule.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-SuspectedGoldenTicket.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-SuspectedGoldenTicket.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-Top20RandomStats.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-Top20RandomStats.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-VisualizeAlertsbyMITRE.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-VisualizeAlertsbyMITRE.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-VisualizeAlertsbyProduct.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-VisualizeAlertsbyProduct.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-VisualizeMDEAlertSeverity.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-VisualizeMDEAlertSeverity.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-VisualizeTopPhishingDomains.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-VisualizeTopPhishingDomains.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-VisualizeTotalAlertsvsUniqueAlerts.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-VisualizeTotalAlertsvsUniqueAlerts.kql -------------------------------------------------------------------------------- /Security Alert/SecurityAlert-WhichTablesAreInUse.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Security Alert/SecurityAlert-WhichTablesAreInUse.kql -------------------------------------------------------------------------------- /Sentinel vs Advanced Hunting/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Sentinel vs Advanced Hunting/README.md -------------------------------------------------------------------------------- /SysLog-DetectAnomaliesInEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/SysLog-DetectAnomaliesInEvents.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-FindAccountsPasswordNotRequired.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-FindAccountsPasswordNotRequired.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-FindAccountswithsameEmployeeId.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-FindAccountswithsameEmployeeId.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-FindAtRiskandHighBlastRadiusUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-FindAtRiskandHighBlastRadiusUsers.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-FindGuestswithHighBlastRadius.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-FindGuestswithHighBlastRadius.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-FindPrivAccountsHighBlastRadius.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-FindPrivAccountsHighBlastRadius.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-FindUserswithmanyGroups.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-FindUserswithmanyGroups.kql -------------------------------------------------------------------------------- /UEBA/IdentityInfo-VisualizeBlastRadius.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/UEBA/IdentityInfo-VisualizeBlastRadius.kql -------------------------------------------------------------------------------- /Windows Security Events/SecEvents-FindDevicesNoLongerSendingLogs.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Windows Security Events/SecEvents-FindDevicesNoLongerSendingLogs.kql -------------------------------------------------------------------------------- /Windows Security Events/SecEvents-FindLateralMovementUsers.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Windows Security Events/SecEvents-FindLateralMovementUsers.kql -------------------------------------------------------------------------------- /Windows Security Events/SecEvents-PotentialRDPRecon.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Windows Security Events/SecEvents-PotentialRDPRecon.kql -------------------------------------------------------------------------------- /Windows Security Events/SecEvents-SummarizeLogonEvents.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Windows Security Events/SecEvents-SummarizeLogonEvents.kql -------------------------------------------------------------------------------- /Workbooks/365DaysofKQL-Day100.kql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Workbooks/365DaysofKQL-Day100.kql -------------------------------------------------------------------------------- /Workbooks/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Workbooks/README.md -------------------------------------------------------------------------------- /Workbooks/ReadmeImages/workbook1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Workbooks/ReadmeImages/workbook1.png -------------------------------------------------------------------------------- /Workbooks/ReadmeImages/workbook2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Workbooks/ReadmeImages/workbook2.png -------------------------------------------------------------------------------- /Workbooks/ReadmeImages/workbook3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Workbooks/ReadmeImages/workbook3.png -------------------------------------------------------------------------------- /Workbooks/ReadmeImages/workbook4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/reprise99/Sentinel-Queries/HEAD/Workbooks/ReadmeImages/workbook4.png --------------------------------------------------------------------------------