├── AMAAgent.kql
├── AR-BreakGlassAccount.kql
├── AR-BruteForce.kql
├── AR-CloudShellExecution.kql
├── AR-NSGChanges.kql
├── ARPPoisoning.txt
├── ASCIncidentClosure.txt
├── AZCopy.yaml
├── Account-Created-Addedto-LocalAdministrator.txt
├── ActiveIncidents.txt
├── ActiveUsers.txt
├── ActivityFromInfrequentCountry.txt
├── Activity_Increase_by_date.kql
├── AddClientDataSource.txt
├── AddedorAssignedGlobalAdministratorroleperms.txt
├── AdminConsent.txt
├── AgentInfowithLocation.txt
├── AgentProblems.txt
├── AgentedDevicesnotADJoined.txt
├── AlertContextParser.txt
├── AlertIngestionTime.txt
├── AlertProviderCounts.txt
├── All_IPs_SecurityAlerts.yaml
├── Allexes.txt
├── AnalyticsRuleCreatedorModified.txt
├── AnalyticsRuleCreatedorModifiedwithDisplayName.txt
├── AnalyticsRuleDeleted.txt
├── AnalyticsRuleLastRun.txt
├── AnalyticsRulesRunbyTimes.txt
├── AnomalousAADAccountCreation.txt
├── AnomalousToken.txt
├── AutomationRuleCreation.yaml
├── AutomationRuleDelete.txt
├── AutomationRuleHasRun.txt
├── Azure Runbooks query with correlation.txt
├── AzurePortalLoginErrors.txt
├── AzureServiceIPs.kql
├── BillableDatabyDataType.txt
├── Billabledatavolumebydatatype.txt
├── Billabledatavolumebysolution.txt
├── BitLockerMaliciousEncrypt.txt
├── BookMarkUpdatedBy.txt
├── BookmarkUpdate.txt
├── BookmarksCreatedBy.txt
├── BrowserActivitybyGEO.txt
├── BuiltInFusionCreation.txt
├── CEFDevices.txt
├── CVE-2023-23397-Detection.kql
├── CalculateSumofColumn.txt
├── CaseComments.txt
├── Check4LockedoutUser.txt
├── CheckPointLogs.txt
├── CloudShell.txt
├── CloudShellPart2.txt
├── Cloudshell2.txt
├── CommentDeleted.txt
├── CommonSecurityLogCostsbyVendor.txt
├── CommonSecurityLogThroughput.txt
├── CompareTotalRecordswithValuebyPercentage.txt
├── Conditional access changes new value and old value.txt
├── ConnectorFailures.kql
├── CostPerSubscription.txt
├── CostperEventID.txt
├── CountriesWhereAgentedComputersReportFrom.txt
├── CountryInfoExternal.kql
├── CreateAndQuery.kql
├── Cross resource query.txt
├── DNSActivity_Attempts_Per_Device.txt
├── DarkSideRansomware.txt
├── DataByProvider.txt
├── DataConnectorOpened.txt
├── DataConnectorReqsFailed.txt
├── DataConnectorReqsFailedbyCallerIPOperation.txt
├── DataIngestEstimation.txt
├── DataIngestionNotHappening.txt
├── DataPerComputer.kql
├── DataPerSyslogServer.txt
├── DataRetentionChanges.txt
├── DataTypeUsagePieChart.txt
├── DayofWeek.txt
├── Debugging authentication sign-ins.txt
├── DefenderAVNotSuccessful.txt
├── DefenderExclusions.txt
├── DefenderLiveResponse.txt
├── Defender_Tampering.kql
├── DeviceStopsReporting.txt
├── DirectAgent.kql
├── DirectReport.txt
├── Does a table exist.txt
├── DomainAdminsEnterpriseAdmins.txt
├── DormantAccounts.txt
├── Duration of session.txt
├── EPSforM365AdvancedTables.txt
├── EPSperTable.kql
├── EmailCountbyCountry.kql
├── EmailForwarding.txt
├── Enabled-data-connectors.kql
├── EventIDStorageinBytes.txt
├── EventIDsinLastDay.txt
├── EventLogSources.txt
├── EventVolumePerTable.txt
├── ExecutedProcesses.txt
├── ExistingConditionalAccessPolicies.txt
├── ExpiredPassword.txt
├── ExternalAccess.txt
├── ExternalGEOforSecurityEvents.txt
├── FailedLoginsPerAccount.txt
├── FileExecutionOver5Times.txt
├── GEOIPLocation.txt
├── GetTags.txt
├── GreaterThanOneCity.txt
├── GuestAccountAdds.txt
├── GuestsAddedtoRoles.txt
├── Heartbeatnotreceivedinlast30min.txt
├── HighRiskUserSigninResourceGroupCreation.txt
├── HourMinute.txt
├── HowManyAlertsGeneratedByService.txt
├── HowManyHostLogons.txt
├── HowManyQueriesEachPersonRan.txt
├── HuntingBookmarkHealth.txt
├── HuntingQueriesAzureActivitySuccessandFailures.txt
├── Ignite
    ├── Pre-day.pptx
    └── Readme.md
├── ImageFiles.kql
├── Images
    ├── 20220724_144123.jpg
    ├── 20220724_144304.jpg
    ├── 20220724_144326.jpg
    ├── chatgpt30.png
    ├── failed.jpg
    ├── readme.md
    ├── scope.png
    └── workspacesettings.png
├── ImpossibleTravelKQL.txt
├── ImpossibleTravelMCAS.txt
├── IncidentID2RuleName.txt
├── IncidentOwnerChange.txt
├── IncidentURL.kql
├── Incidents.txt
├── IncidentsBetweenTimeRange.yaml
├── IngestionDelay.txt
├── IngestionDelaySnippet.txt
├── Interactive_web_login.kql
├── Intune-AutoPilotFailedEnrollment1Day.txt
├── Intune-DeviceThreatLevelnotSecured.txt
├── Intune-Enrollmentsabandonedbytheuser.txt
├── IntuneActivityTypes.txt
├── IntuneAuditEvents.txt
├── IntuneAuditEventsTrend.txt
├── IntuneComplianceFailuresbyOperatingSystem.txt
├── IntuneComplianceFailuresbyReason.txt
├── IntuneCountofSuccessfulEnrollmentsbyOS.txt
├── IntuneDevicesNotSupported.txt
├── IntuneDevicesNotinCompliance.txt
├── IntuneEnrollmentEventsTrend.txt
├── IntuneEnrollmentFailurereasons.txt
├── IntuneEnrollmentFailuresbyEnrollmentType.txt
├── IntuneEnrollmentFailuresbyPlatform.txt
├── IntuneEnrollmentStatistics.txt
├── IntuneEnrollmentSuccessbyEnrollmentType.txt
├── IntuneNotCompliant.txt
├── IntuneNotCompliant2.txt
├── IntuneRecentEventsbyAccounts.txt
├── IntuneRemoteactionsbyactiontype.txt
├── IntuneRemoteactionstopusers.txt
├── IntuneSuccessfulSynchedDevice.txt
├── IntuneSummarizebyOperation.txt
├── IntuneTopuserswithauditedactions.txt
├── Intunecomputershutdowns.txt
├── IntuneisCompliantByOSandOSVersion.txt
├── KDCforKRBTGTPassword.txt
├── KaseyaREvil.txt
├── LAG analysis example.txt
├── LabKQL
    └── LabKQL.md
├── Language demo just for fun and demo pattern replace.txt
├── LastLogin.txt
├── LastTimeDataReceived.txt
├── LastTimeMessageReceived.txt
├── Latency for a Log Analytics example with rolling percentiles.txt
├── LegacyAuthSignin.txt
├── LineNumbers-serialize.txt
├── LinksinTeamsMessages.txt
├── ListofDomains.txt
├── LockedUsers.kql
├── LogSources.txt
├── LoginFailureButPasswordChangeRequired.txt
├── LoginFailureUnknownUserNameorBadPassword.txt
├── LoginLocationNotInUS.txt
├── LoginsByAccountPerLocation.txt
├── LookbackQuery.txt
├── LookingforInstalledKBIDs.txt
├── MDTISourceTI.kql
├── MITRETacticIncident.txt
├── MITRE_ATLAS_csv_parser.kql
├── MITRE_ATLAS_parser.kql
├── MITRE_JSON_Parser.kql
├── MS_Copilots.kql
├── MV-EpandExample.txt
├── Make series to fill in gaps with default for bin by bucket.txt
├── Make-series for gaps.txt
├── MalwareEngShutdown.txt
├── MenuBlade
    └── Menu.md
├── MerakiConf2.txt
├── MerakiDenialofService.txt
├── MerakiDeviceChanges.txt
├── MerakiDeviceInformation.txt
├── MerakiPKIActivity.txt
├── MerakiParser.txt
├── MerakiSIGRED.txt
├── MidnightBlizzard.kql
├── MimiKatzDetection.txt
├── MostGeneratedIncidents.txt
├── MultipleTablesNoIngest.kql
├── NRTFailed.kql
├── NSGChangesByUser.txt
├── NSGChangesbyUserandResource.txt
├── NetLogonPatchCompliance.txt
├── NewAdmins.txt
├── NewBruteForceAttacks.txt
├── NewYearChampagneGlass.txt
├── NoIncidentsClosedin90.txt
├── NoLogintoAADin90Days.txt
├── NoNewOpenIncidents24hrs.txt
├── NoTotalOpenIncidentsin90.txt
├── NoUnassignedIncidents.txt
├── NotEqual.txt
├── NotLoggedIn.txt
├── NumberofEventsOveraSelectedTime.txt
├── OfficeIngestDelay.kql
├── OfficeUsertoAdminGroup.txt
├── OnlineOffline.txt
├── Overview_Page
    ├── Automation
    │   ├── Actions performed.kql
    │   ├── Automation.png
    │   ├── Closed incidents.kql
    │   ├── Readme.md
    │   └── Time saved.kql
    ├── Data
    │   ├── Anomalies.kql
    │   ├── Data.png
    │   ├── Readme.md
    │   ├── TI by type.kql
    │   ├── Total volume.kql
    │   └── Unhealthy connectors.kql
    ├── Incidents
    │   ├── Incidents by closed classification - last 24 hours.kql
    │   ├── Incidents by severity - last 24 hours.kql
    │   ├── Incidents by status - last 24 hours.kql
    │   ├── Incidents status by creation time - last 24 hours.kql
    │   ├── Incidents.png
    │   ├── Mean time to acknowledge - last 48 hours.kql
    │   ├── Mean time to close.kql
    │   └── Readme.md
    ├── Readme.md
    └── overview.png
├── Overview_Queries.txt
├── PKEXEC.txt
├── PackAllExample.txt
├── PaloAltoStops.kql
├── ParseAnomaliConfidenceScore.txt
├── ParseBetween.txt
├── PlaybookActivity.kql
├── PolicyCreation.txt
├── PolicyExemptions.txt
├── PoorPerfQuery.txt
├── Potentialmaliciouseventsmap.txt
├── PowerShellExecution.txt
├── PowerShellExecutionwithDownload.txt
├── PrintNightmare.txt
├── ProxyShell.txt
├── ProxyShellExchange.txt
├── QueriesEachPersonRan.txt
├── RDP_by_IP.kql
├── README.md
├── RegistryCredentialTheft.txt
├── RemoteLogon.txt
├── RemoteWorkspaceQuery.txt
├── Remote_Actions_By_Compromised_Account.kql
├── ReportNoData.txt
├── RestartShutdownsLast7Days.txt
├── RetentionPerTable.txt
├── RulesRuninLast30d.txt
├── Running total aka cumulative sum.txt
├── SMA and EMA examples.txt
├── SQLServerAuditLogs.txt
├── SecurityChangePasswordResets.txt
├── SecurityIndicentsCreatedinLastDay.txt
├── SecurityLogFileCleared.txt
├── SentinelDataRetention.txt
├── SentinelIncidentURLs- ALL.txt
├── SharePointDownloads.txt
├── SignInbyLocation.txt
├── SignatureVersionPie.txt
├── SigninLogsByBrowserandLocation.txt
├── SigninLogsByDay - parsing UTC.txt
├── SigninLogsNow.txt
├── SocGhoulish.kql
├── Solarwinds_ServerU_Vuln.txt
├── SolutionDataUsage.txt
├── SophosDisabled.txt
├── Sparkles.txt
├── StopPLCIoTDevice.txt
├── StoppedServices.kql
├── Strcat.kql
├── SubsCreatedPerHour.kql
├── SuccessfulRoleAssignments.txt
├── SuspicousARMActivites.txt
├── SysLogDaemon.txt
├── SysmonAMA.txt
├── SysmonEventsStorageSize.txt
├── SysmonParser.txt
├── SystemRestoreDisabled.txt
├── SystemsReportingtoSentinel.txt
├── SystemthatHaveUpdatedintheLast4Hours.txt
├── TableData.kql
├── TableExistence.txt
├── TableUsageandCost.txt
├── TablesNotIngestingDatain3Days.txt
├── TeamsAADSigninLogsRelatedtoTeamOwners.txt
├── TeamsAADSigninsSuccessUnsuccess.txt
├── TeamsBotsorAppsAdded.txt
├── TeamsChannelDeleted.txt
├── TeamsExternalRareUserAccess.txt
├── TeamsExternalSuspiciousAccountsRevokedAccess.txt
├── TeamsKQL.zip
├── TeamsListFederatedUsers.txt
├── TeamsSingleUsersDeleteMultipleTeams.txt
├── TeamsSuspiciousElevationofPrivileges.txt
├── TeamsUserAddedtoTeamsChannel.txt
├── TeamsWasUserRoleChanged.txt
├── ThreatIntelBag.kql
├── ThreatIntelligenceTableCosts.txt
├── ThreatStatus.txt
├── TieFighter.txt
├── TimeBetweenDates.txt
├── TimeRangeExample.txt
├── TooManyRecipients.kql
├── Top N by Group example via top-nested - option 2.txt
├── Top N by group example via LAG - option 1.txt
├── TotalIncidentsInLast6Months.txt
├── Tracking Privileged Account Rare Activity without AWS.txt
├── TrendofRequests.txt
├── TrialExpiration.txt
├── UEBACosts.txt
├── UEBAEstimate.kql
├── UEBA_IsDormant.txt
├── URLDetonation
    ├── Azure_Sentinel_analytic_rule - URL Detonation.json
    ├── URLDetonate.png
    └── URLsWatchlist.csv
├── USB_Copy_7_days.kql
├── UnsuccessfulRulesinLast24.txt
├── UpdateComplianceBarChart.txt
├── UpdateDataConnectors.txt
├── UseCases_by_MITRE.kql
├── UserAccountLockedAAD.txt
├── Usergrantedaccesstoanapp.txt
├── UsersConnectFromMultipleCity.txt
├── UsersIPsPorts.txt
├── WatchListAudit.txt
├── WatchListDelete.txt
├── WatchlistNOTin.txt
├── Watchlist_Basics
├── Watchlist_Item_Delete.kql
├── WatchlistsCosts.txt
├── WebshellPosts.txt
├── WhenUEBAwasEnabledByWho.txt
├── WhiteList-FindWhoAccessedAzureSentinelthatShouldNot.txt
├── WhoChangedConditionalAccessPolicy.txt
├── WhoChangedTheirAADPassword.txt
├── WhoDeletedAlertRule.txt
├── WhoModifiedAnalyticsRule.txt
├── Windows10LoggedInLast7Days.txt
├── WiresharkRSSTraffic.txt
├── WorkWeek.txt
├── WorkbookCreation.txt
├── WorkbookDeletion.txt
├── WorkspaceIDs.kql
├── Workspaces90DaysRetention.kql
├── WorkspacesAndTables.txt
├── ZeroLogon_Ports.txt
├── acrossworkspaceforFunction.txt
├── adminskql.txt
├── allreportingcomputers.txt
├── computersendingmostsecurityalerts.txt
├── computersunhealthystate.txt
├── dataingestionthresholdlimits.txt
├── dataparser.txt
├── dataproviders.txt
├── devices.txt
├── excessivefailedlogins.txt
├── heartbeatforscomagent.txt
├── isempty.txt
├── maxoutputcolumns.kql
├── meraki_GROK.txt
├── multipleLAworkspaces.txt
├── qualys.txt
├── savingperworkbook.kql
├── scalarexpression.txt
├── serversenrolledinWDATP.txt
└── thresholds.csv


/AMAAgent.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AMAAgent.kql


--------------------------------------------------------------------------------
/AR-BreakGlassAccount.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AR-BreakGlassAccount.kql


--------------------------------------------------------------------------------
/AR-BruteForce.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AR-BruteForce.kql


--------------------------------------------------------------------------------
/AR-CloudShellExecution.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AR-CloudShellExecution.kql


--------------------------------------------------------------------------------
/AR-NSGChanges.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AR-NSGChanges.kql


--------------------------------------------------------------------------------
/ARPPoisoning.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ARPPoisoning.txt


--------------------------------------------------------------------------------
/ASCIncidentClosure.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ASCIncidentClosure.txt


--------------------------------------------------------------------------------
/AZCopy.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AZCopy.yaml


--------------------------------------------------------------------------------
/Account-Created-Addedto-LocalAdministrator.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Account-Created-Addedto-LocalAdministrator.txt


--------------------------------------------------------------------------------
/ActiveIncidents.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ActiveIncidents.txt


--------------------------------------------------------------------------------
/ActiveUsers.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ActiveUsers.txt


--------------------------------------------------------------------------------
/ActivityFromInfrequentCountry.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ActivityFromInfrequentCountry.txt


--------------------------------------------------------------------------------
/Activity_Increase_by_date.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Activity_Increase_by_date.kql


--------------------------------------------------------------------------------
/AddClientDataSource.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AddClientDataSource.txt


--------------------------------------------------------------------------------
/AddedorAssignedGlobalAdministratorroleperms.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AddedorAssignedGlobalAdministratorroleperms.txt


--------------------------------------------------------------------------------
/AdminConsent.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AdminConsent.txt


--------------------------------------------------------------------------------
/AgentInfowithLocation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AgentInfowithLocation.txt


--------------------------------------------------------------------------------
/AgentProblems.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AgentProblems.txt


--------------------------------------------------------------------------------
/AgentedDevicesnotADJoined.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AgentedDevicesnotADJoined.txt


--------------------------------------------------------------------------------
/AlertContextParser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AlertContextParser.txt


--------------------------------------------------------------------------------
/AlertIngestionTime.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AlertIngestionTime.txt


--------------------------------------------------------------------------------
/AlertProviderCounts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AlertProviderCounts.txt


--------------------------------------------------------------------------------
/All_IPs_SecurityAlerts.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/All_IPs_SecurityAlerts.yaml


--------------------------------------------------------------------------------
/Allexes.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Allexes.txt


--------------------------------------------------------------------------------
/AnalyticsRuleCreatedorModified.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnalyticsRuleCreatedorModified.txt


--------------------------------------------------------------------------------
/AnalyticsRuleCreatedorModifiedwithDisplayName.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnalyticsRuleCreatedorModifiedwithDisplayName.txt


--------------------------------------------------------------------------------
/AnalyticsRuleDeleted.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnalyticsRuleDeleted.txt


--------------------------------------------------------------------------------
/AnalyticsRuleLastRun.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnalyticsRuleLastRun.txt


--------------------------------------------------------------------------------
/AnalyticsRulesRunbyTimes.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnalyticsRulesRunbyTimes.txt


--------------------------------------------------------------------------------
/AnomalousAADAccountCreation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnomalousAADAccountCreation.txt


--------------------------------------------------------------------------------
/AnomalousToken.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AnomalousToken.txt


--------------------------------------------------------------------------------
/AutomationRuleCreation.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AutomationRuleCreation.yaml


--------------------------------------------------------------------------------
/AutomationRuleDelete.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AutomationRuleDelete.txt


--------------------------------------------------------------------------------
/AutomationRuleHasRun.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AutomationRuleHasRun.txt


--------------------------------------------------------------------------------
/Azure Runbooks query with correlation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Azure Runbooks query with correlation.txt


--------------------------------------------------------------------------------
/AzurePortalLoginErrors.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AzurePortalLoginErrors.txt


--------------------------------------------------------------------------------
/AzureServiceIPs.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/AzureServiceIPs.kql


--------------------------------------------------------------------------------
/BillableDatabyDataType.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BillableDatabyDataType.txt


--------------------------------------------------------------------------------
/Billabledatavolumebydatatype.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Billabledatavolumebydatatype.txt


--------------------------------------------------------------------------------
/Billabledatavolumebysolution.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Billabledatavolumebysolution.txt


--------------------------------------------------------------------------------
/BitLockerMaliciousEncrypt.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BitLockerMaliciousEncrypt.txt


--------------------------------------------------------------------------------
/BookMarkUpdatedBy.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BookMarkUpdatedBy.txt


--------------------------------------------------------------------------------
/BookmarkUpdate.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BookmarkUpdate.txt


--------------------------------------------------------------------------------
/BookmarksCreatedBy.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BookmarksCreatedBy.txt


--------------------------------------------------------------------------------
/BrowserActivitybyGEO.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BrowserActivitybyGEO.txt


--------------------------------------------------------------------------------
/BuiltInFusionCreation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/BuiltInFusionCreation.txt


--------------------------------------------------------------------------------
/CEFDevices.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CEFDevices.txt


--------------------------------------------------------------------------------
/CVE-2023-23397-Detection.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CVE-2023-23397-Detection.kql


--------------------------------------------------------------------------------
/CalculateSumofColumn.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CalculateSumofColumn.txt


--------------------------------------------------------------------------------
/CaseComments.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CaseComments.txt


--------------------------------------------------------------------------------
/Check4LockedoutUser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Check4LockedoutUser.txt


--------------------------------------------------------------------------------
/CheckPointLogs.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CheckPointLogs.txt


--------------------------------------------------------------------------------
/CloudShell.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CloudShell.txt


--------------------------------------------------------------------------------
/CloudShellPart2.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CloudShellPart2.txt


--------------------------------------------------------------------------------
/Cloudshell2.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Cloudshell2.txt


--------------------------------------------------------------------------------
/CommentDeleted.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CommentDeleted.txt


--------------------------------------------------------------------------------
/CommonSecurityLogCostsbyVendor.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CommonSecurityLogCostsbyVendor.txt


--------------------------------------------------------------------------------
/CommonSecurityLogThroughput.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CommonSecurityLogThroughput.txt


--------------------------------------------------------------------------------
/CompareTotalRecordswithValuebyPercentage.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CompareTotalRecordswithValuebyPercentage.txt


--------------------------------------------------------------------------------
/Conditional access changes new value and old value.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Conditional access changes new value and old value.txt


--------------------------------------------------------------------------------
/ConnectorFailures.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ConnectorFailures.kql


--------------------------------------------------------------------------------
/CostPerSubscription.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CostPerSubscription.txt


--------------------------------------------------------------------------------
/CostperEventID.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CostperEventID.txt


--------------------------------------------------------------------------------
/CountriesWhereAgentedComputersReportFrom.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CountriesWhereAgentedComputersReportFrom.txt


--------------------------------------------------------------------------------
/CountryInfoExternal.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CountryInfoExternal.kql


--------------------------------------------------------------------------------
/CreateAndQuery.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/CreateAndQuery.kql


--------------------------------------------------------------------------------
/Cross resource query.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Cross resource query.txt


--------------------------------------------------------------------------------
/DNSActivity_Attempts_Per_Device.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DNSActivity_Attempts_Per_Device.txt


--------------------------------------------------------------------------------
/DarkSideRansomware.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DarkSideRansomware.txt


--------------------------------------------------------------------------------
/DataByProvider.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataByProvider.txt


--------------------------------------------------------------------------------
/DataConnectorOpened.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataConnectorOpened.txt


--------------------------------------------------------------------------------
/DataConnectorReqsFailed.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataConnectorReqsFailed.txt


--------------------------------------------------------------------------------
/DataConnectorReqsFailedbyCallerIPOperation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataConnectorReqsFailedbyCallerIPOperation.txt


--------------------------------------------------------------------------------
/DataIngestEstimation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataIngestEstimation.txt


--------------------------------------------------------------------------------
/DataIngestionNotHappening.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataIngestionNotHappening.txt


--------------------------------------------------------------------------------
/DataPerComputer.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataPerComputer.kql


--------------------------------------------------------------------------------
/DataPerSyslogServer.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataPerSyslogServer.txt


--------------------------------------------------------------------------------
/DataRetentionChanges.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataRetentionChanges.txt


--------------------------------------------------------------------------------
/DataTypeUsagePieChart.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DataTypeUsagePieChart.txt


--------------------------------------------------------------------------------
/DayofWeek.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DayofWeek.txt


--------------------------------------------------------------------------------
/Debugging authentication sign-ins.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Debugging authentication sign-ins.txt


--------------------------------------------------------------------------------
/DefenderAVNotSuccessful.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DefenderAVNotSuccessful.txt


--------------------------------------------------------------------------------
/DefenderExclusions.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DefenderExclusions.txt


--------------------------------------------------------------------------------
/DefenderLiveResponse.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DefenderLiveResponse.txt


--------------------------------------------------------------------------------
/Defender_Tampering.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Defender_Tampering.kql


--------------------------------------------------------------------------------
/DeviceStopsReporting.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DeviceStopsReporting.txt


--------------------------------------------------------------------------------
/DirectAgent.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DirectAgent.kql


--------------------------------------------------------------------------------
/DirectReport.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DirectReport.txt


--------------------------------------------------------------------------------
/Does a table exist.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Does a table exist.txt


--------------------------------------------------------------------------------
/DomainAdminsEnterpriseAdmins.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DomainAdminsEnterpriseAdmins.txt


--------------------------------------------------------------------------------
/DormantAccounts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/DormantAccounts.txt


--------------------------------------------------------------------------------
/Duration of session.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Duration of session.txt


--------------------------------------------------------------------------------
/EPSforM365AdvancedTables.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EPSforM365AdvancedTables.txt


--------------------------------------------------------------------------------
/EPSperTable.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EPSperTable.kql


--------------------------------------------------------------------------------
/EmailCountbyCountry.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EmailCountbyCountry.kql


--------------------------------------------------------------------------------
/EmailForwarding.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EmailForwarding.txt


--------------------------------------------------------------------------------
/Enabled-data-connectors.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Enabled-data-connectors.kql


--------------------------------------------------------------------------------
/EventIDStorageinBytes.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EventIDStorageinBytes.txt


--------------------------------------------------------------------------------
/EventIDsinLastDay.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EventIDsinLastDay.txt


--------------------------------------------------------------------------------
/EventLogSources.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EventLogSources.txt


--------------------------------------------------------------------------------
/EventVolumePerTable.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/EventVolumePerTable.txt


--------------------------------------------------------------------------------
/ExecutedProcesses.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ExecutedProcesses.txt


--------------------------------------------------------------------------------
/ExistingConditionalAccessPolicies.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ExistingConditionalAccessPolicies.txt


--------------------------------------------------------------------------------
/ExpiredPassword.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ExpiredPassword.txt


--------------------------------------------------------------------------------
/ExternalAccess.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ExternalAccess.txt


--------------------------------------------------------------------------------
/ExternalGEOforSecurityEvents.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ExternalGEOforSecurityEvents.txt


--------------------------------------------------------------------------------
/FailedLoginsPerAccount.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/FailedLoginsPerAccount.txt


--------------------------------------------------------------------------------
/FileExecutionOver5Times.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/FileExecutionOver5Times.txt


--------------------------------------------------------------------------------
/GEOIPLocation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/GEOIPLocation.txt


--------------------------------------------------------------------------------
/GetTags.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/GetTags.txt


--------------------------------------------------------------------------------
/GreaterThanOneCity.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/GreaterThanOneCity.txt


--------------------------------------------------------------------------------
/GuestAccountAdds.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/GuestAccountAdds.txt


--------------------------------------------------------------------------------
/GuestsAddedtoRoles.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/GuestsAddedtoRoles.txt


--------------------------------------------------------------------------------
/Heartbeatnotreceivedinlast30min.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Heartbeatnotreceivedinlast30min.txt


--------------------------------------------------------------------------------
/HighRiskUserSigninResourceGroupCreation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HighRiskUserSigninResourceGroupCreation.txt


--------------------------------------------------------------------------------
/HourMinute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HourMinute.txt


--------------------------------------------------------------------------------
/HowManyAlertsGeneratedByService.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HowManyAlertsGeneratedByService.txt


--------------------------------------------------------------------------------
/HowManyHostLogons.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HowManyHostLogons.txt


--------------------------------------------------------------------------------
/HowManyQueriesEachPersonRan.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HowManyQueriesEachPersonRan.txt


--------------------------------------------------------------------------------
/HuntingBookmarkHealth.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HuntingBookmarkHealth.txt


--------------------------------------------------------------------------------
/HuntingQueriesAzureActivitySuccessandFailures.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/HuntingQueriesAzureActivitySuccessandFailures.txt


--------------------------------------------------------------------------------
/Ignite/Pre-day.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Ignite/Pre-day.pptx


--------------------------------------------------------------------------------
/Ignite/Readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/ImageFiles.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ImageFiles.kql


--------------------------------------------------------------------------------
/Images/20220724_144123.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/20220724_144123.jpg


--------------------------------------------------------------------------------
/Images/20220724_144304.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/20220724_144304.jpg


--------------------------------------------------------------------------------
/Images/20220724_144326.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/20220724_144326.jpg


--------------------------------------------------------------------------------
/Images/chatgpt30.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/chatgpt30.png


--------------------------------------------------------------------------------
/Images/failed.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/failed.jpg


--------------------------------------------------------------------------------
/Images/readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/Images/scope.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/scope.png


--------------------------------------------------------------------------------
/Images/workspacesettings.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Images/workspacesettings.png


--------------------------------------------------------------------------------
/ImpossibleTravelKQL.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ImpossibleTravelKQL.txt


--------------------------------------------------------------------------------
/ImpossibleTravelMCAS.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ImpossibleTravelMCAS.txt


--------------------------------------------------------------------------------
/IncidentID2RuleName.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IncidentID2RuleName.txt


--------------------------------------------------------------------------------
/IncidentOwnerChange.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IncidentOwnerChange.txt


--------------------------------------------------------------------------------
/IncidentURL.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IncidentURL.kql


--------------------------------------------------------------------------------
/Incidents.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Incidents.txt


--------------------------------------------------------------------------------
/IncidentsBetweenTimeRange.yaml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IncidentsBetweenTimeRange.yaml


--------------------------------------------------------------------------------
/IngestionDelay.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IngestionDelay.txt


--------------------------------------------------------------------------------
/IngestionDelaySnippet.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IngestionDelaySnippet.txt


--------------------------------------------------------------------------------
/Interactive_web_login.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Interactive_web_login.kql


--------------------------------------------------------------------------------
/Intune-AutoPilotFailedEnrollment1Day.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Intune-AutoPilotFailedEnrollment1Day.txt


--------------------------------------------------------------------------------
/Intune-DeviceThreatLevelnotSecured.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Intune-DeviceThreatLevelnotSecured.txt


--------------------------------------------------------------------------------
/Intune-Enrollmentsabandonedbytheuser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Intune-Enrollmentsabandonedbytheuser.txt


--------------------------------------------------------------------------------
/IntuneActivityTypes.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneActivityTypes.txt


--------------------------------------------------------------------------------
/IntuneAuditEvents.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneAuditEvents.txt


--------------------------------------------------------------------------------
/IntuneAuditEventsTrend.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneAuditEventsTrend.txt


--------------------------------------------------------------------------------
/IntuneComplianceFailuresbyOperatingSystem.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneComplianceFailuresbyOperatingSystem.txt


--------------------------------------------------------------------------------
/IntuneComplianceFailuresbyReason.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneComplianceFailuresbyReason.txt


--------------------------------------------------------------------------------
/IntuneCountofSuccessfulEnrollmentsbyOS.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneCountofSuccessfulEnrollmentsbyOS.txt


--------------------------------------------------------------------------------
/IntuneDevicesNotSupported.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneDevicesNotSupported.txt


--------------------------------------------------------------------------------
/IntuneDevicesNotinCompliance.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneDevicesNotinCompliance.txt


--------------------------------------------------------------------------------
/IntuneEnrollmentEventsTrend.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneEnrollmentEventsTrend.txt


--------------------------------------------------------------------------------
/IntuneEnrollmentFailurereasons.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneEnrollmentFailurereasons.txt


--------------------------------------------------------------------------------
/IntuneEnrollmentFailuresbyEnrollmentType.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneEnrollmentFailuresbyEnrollmentType.txt


--------------------------------------------------------------------------------
/IntuneEnrollmentFailuresbyPlatform.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneEnrollmentFailuresbyPlatform.txt


--------------------------------------------------------------------------------
/IntuneEnrollmentStatistics.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneEnrollmentStatistics.txt


--------------------------------------------------------------------------------
/IntuneEnrollmentSuccessbyEnrollmentType.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneEnrollmentSuccessbyEnrollmentType.txt


--------------------------------------------------------------------------------
/IntuneNotCompliant.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneNotCompliant.txt


--------------------------------------------------------------------------------
/IntuneNotCompliant2.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneNotCompliant2.txt


--------------------------------------------------------------------------------
/IntuneRecentEventsbyAccounts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneRecentEventsbyAccounts.txt


--------------------------------------------------------------------------------
/IntuneRemoteactionsbyactiontype.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneRemoteactionsbyactiontype.txt


--------------------------------------------------------------------------------
/IntuneRemoteactionstopusers.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneRemoteactionstopusers.txt


--------------------------------------------------------------------------------
/IntuneSuccessfulSynchedDevice.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneSuccessfulSynchedDevice.txt


--------------------------------------------------------------------------------
/IntuneSummarizebyOperation.txt:
--------------------------------------------------------------------------------
1 | IntuneAuditLogs 
2 | | summarize count() by OperationName


--------------------------------------------------------------------------------
/IntuneTopuserswithauditedactions.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneTopuserswithauditedactions.txt


--------------------------------------------------------------------------------
/Intunecomputershutdowns.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Intunecomputershutdowns.txt


--------------------------------------------------------------------------------
/IntuneisCompliantByOSandOSVersion.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/IntuneisCompliantByOSandOSVersion.txt


--------------------------------------------------------------------------------
/KDCforKRBTGTPassword.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/KDCforKRBTGTPassword.txt


--------------------------------------------------------------------------------
/KaseyaREvil.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/KaseyaREvil.txt


--------------------------------------------------------------------------------
/LAG analysis example.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LAG analysis example.txt


--------------------------------------------------------------------------------
/LabKQL/LabKQL.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LabKQL/LabKQL.md


--------------------------------------------------------------------------------
/Language demo just for fun and demo pattern replace.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Language demo just for fun and demo pattern replace.txt


--------------------------------------------------------------------------------
/LastLogin.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LastLogin.txt


--------------------------------------------------------------------------------
/LastTimeDataReceived.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LastTimeDataReceived.txt


--------------------------------------------------------------------------------
/LastTimeMessageReceived.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LastTimeMessageReceived.txt


--------------------------------------------------------------------------------
/Latency for a Log Analytics example with rolling percentiles.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Latency for a Log Analytics example with rolling percentiles.txt


--------------------------------------------------------------------------------
/LegacyAuthSignin.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LegacyAuthSignin.txt


--------------------------------------------------------------------------------
/LineNumbers-serialize.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LineNumbers-serialize.txt


--------------------------------------------------------------------------------
/LinksinTeamsMessages.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LinksinTeamsMessages.txt


--------------------------------------------------------------------------------
/ListofDomains.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ListofDomains.txt


--------------------------------------------------------------------------------
/LockedUsers.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LockedUsers.kql


--------------------------------------------------------------------------------
/LogSources.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LogSources.txt


--------------------------------------------------------------------------------
/LoginFailureButPasswordChangeRequired.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LoginFailureButPasswordChangeRequired.txt


--------------------------------------------------------------------------------
/LoginFailureUnknownUserNameorBadPassword.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LoginFailureUnknownUserNameorBadPassword.txt


--------------------------------------------------------------------------------
/LoginLocationNotInUS.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LoginLocationNotInUS.txt


--------------------------------------------------------------------------------
/LoginsByAccountPerLocation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LoginsByAccountPerLocation.txt


--------------------------------------------------------------------------------
/LookbackQuery.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LookbackQuery.txt


--------------------------------------------------------------------------------
/LookingforInstalledKBIDs.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/LookingforInstalledKBIDs.txt


--------------------------------------------------------------------------------
/MDTISourceTI.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MDTISourceTI.kql


--------------------------------------------------------------------------------
/MITRETacticIncident.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MITRETacticIncident.txt


--------------------------------------------------------------------------------
/MITRE_ATLAS_csv_parser.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MITRE_ATLAS_csv_parser.kql


--------------------------------------------------------------------------------
/MITRE_ATLAS_parser.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MITRE_ATLAS_parser.kql


--------------------------------------------------------------------------------
/MITRE_JSON_Parser.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MITRE_JSON_Parser.kql


--------------------------------------------------------------------------------
/MS_Copilots.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MS_Copilots.kql


--------------------------------------------------------------------------------
/MV-EpandExample.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MV-EpandExample.txt


--------------------------------------------------------------------------------
/Make series to fill in gaps with default for bin by bucket.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Make series to fill in gaps with default for bin by bucket.txt


--------------------------------------------------------------------------------
/Make-series for gaps.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Make-series for gaps.txt


--------------------------------------------------------------------------------
/MalwareEngShutdown.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MalwareEngShutdown.txt


--------------------------------------------------------------------------------
/MenuBlade/Menu.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/MerakiConf2.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiConf2.txt


--------------------------------------------------------------------------------
/MerakiDenialofService.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiDenialofService.txt


--------------------------------------------------------------------------------
/MerakiDeviceChanges.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiDeviceChanges.txt


--------------------------------------------------------------------------------
/MerakiDeviceInformation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiDeviceInformation.txt


--------------------------------------------------------------------------------
/MerakiPKIActivity.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiPKIActivity.txt


--------------------------------------------------------------------------------
/MerakiParser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiParser.txt


--------------------------------------------------------------------------------
/MerakiSIGRED.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MerakiSIGRED.txt


--------------------------------------------------------------------------------
/MidnightBlizzard.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MidnightBlizzard.kql


--------------------------------------------------------------------------------
/MimiKatzDetection.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MimiKatzDetection.txt


--------------------------------------------------------------------------------
/MostGeneratedIncidents.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MostGeneratedIncidents.txt


--------------------------------------------------------------------------------
/MultipleTablesNoIngest.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/MultipleTablesNoIngest.kql


--------------------------------------------------------------------------------
/NRTFailed.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NRTFailed.kql


--------------------------------------------------------------------------------
/NSGChangesByUser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NSGChangesByUser.txt


--------------------------------------------------------------------------------
/NSGChangesbyUserandResource.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NSGChangesbyUserandResource.txt


--------------------------------------------------------------------------------
/NetLogonPatchCompliance.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NetLogonPatchCompliance.txt


--------------------------------------------------------------------------------
/NewAdmins.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NewAdmins.txt


--------------------------------------------------------------------------------
/NewBruteForceAttacks.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NewBruteForceAttacks.txt


--------------------------------------------------------------------------------
/NewYearChampagneGlass.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NewYearChampagneGlass.txt


--------------------------------------------------------------------------------
/NoIncidentsClosedin90.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NoIncidentsClosedin90.txt


--------------------------------------------------------------------------------
/NoLogintoAADin90Days.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NoLogintoAADin90Days.txt


--------------------------------------------------------------------------------
/NoNewOpenIncidents24hrs.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NoNewOpenIncidents24hrs.txt


--------------------------------------------------------------------------------
/NoTotalOpenIncidentsin90.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NoTotalOpenIncidentsin90.txt


--------------------------------------------------------------------------------
/NoUnassignedIncidents.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NoUnassignedIncidents.txt


--------------------------------------------------------------------------------
/NotEqual.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NotEqual.txt


--------------------------------------------------------------------------------
/NotLoggedIn.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NotLoggedIn.txt


--------------------------------------------------------------------------------
/NumberofEventsOveraSelectedTime.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/NumberofEventsOveraSelectedTime.txt


--------------------------------------------------------------------------------
/OfficeIngestDelay.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/OfficeIngestDelay.kql


--------------------------------------------------------------------------------
/OfficeUsertoAdminGroup.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/OfficeUsertoAdminGroup.txt


--------------------------------------------------------------------------------
/OnlineOffline.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/OnlineOffline.txt


--------------------------------------------------------------------------------
/Overview_Page/Automation/Actions performed.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Automation/Actions performed.kql


--------------------------------------------------------------------------------
/Overview_Page/Automation/Automation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Automation/Automation.png


--------------------------------------------------------------------------------
/Overview_Page/Automation/Closed incidents.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Automation/Closed incidents.kql


--------------------------------------------------------------------------------
/Overview_Page/Automation/Readme.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Automation/Readme.md


--------------------------------------------------------------------------------
/Overview_Page/Automation/Time saved.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Automation/Time saved.kql


--------------------------------------------------------------------------------
/Overview_Page/Data/Anomalies.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Data/Anomalies.kql


--------------------------------------------------------------------------------
/Overview_Page/Data/Data.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Data/Data.png


--------------------------------------------------------------------------------
/Overview_Page/Data/Readme.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Data/Readme.md


--------------------------------------------------------------------------------
/Overview_Page/Data/TI by type.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Data/TI by type.kql


--------------------------------------------------------------------------------
/Overview_Page/Data/Total volume.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Data/Total volume.kql


--------------------------------------------------------------------------------
/Overview_Page/Data/Unhealthy connectors.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Data/Unhealthy connectors.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Incidents by closed classification - last 24 hours.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Incidents by closed classification - last 24 hours.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Incidents by severity - last 24 hours.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Incidents by severity - last 24 hours.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Incidents by status - last 24 hours.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Incidents by status - last 24 hours.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Incidents status by creation time - last 24 hours.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Incidents status by creation time - last 24 hours.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Incidents.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Incidents.png


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Mean time to acknowledge - last 48 hours.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Mean time to acknowledge - last 48 hours.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Mean time to close.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Mean time to close.kql


--------------------------------------------------------------------------------
/Overview_Page/Incidents/Readme.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Incidents/Readme.md


--------------------------------------------------------------------------------
/Overview_Page/Readme.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/Readme.md


--------------------------------------------------------------------------------
/Overview_Page/overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Page/overview.png


--------------------------------------------------------------------------------
/Overview_Queries.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Overview_Queries.txt


--------------------------------------------------------------------------------
/PKEXEC.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PKEXEC.txt


--------------------------------------------------------------------------------
/PackAllExample.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PackAllExample.txt


--------------------------------------------------------------------------------
/PaloAltoStops.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PaloAltoStops.kql


--------------------------------------------------------------------------------
/ParseAnomaliConfidenceScore.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ParseAnomaliConfidenceScore.txt


--------------------------------------------------------------------------------
/ParseBetween.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ParseBetween.txt


--------------------------------------------------------------------------------
/PlaybookActivity.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PlaybookActivity.kql


--------------------------------------------------------------------------------
/PolicyCreation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PolicyCreation.txt


--------------------------------------------------------------------------------
/PolicyExemptions.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PolicyExemptions.txt


--------------------------------------------------------------------------------
/PoorPerfQuery.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PoorPerfQuery.txt


--------------------------------------------------------------------------------
/Potentialmaliciouseventsmap.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Potentialmaliciouseventsmap.txt


--------------------------------------------------------------------------------
/PowerShellExecution.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PowerShellExecution.txt


--------------------------------------------------------------------------------
/PowerShellExecutionwithDownload.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PowerShellExecutionwithDownload.txt


--------------------------------------------------------------------------------
/PrintNightmare.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/PrintNightmare.txt


--------------------------------------------------------------------------------
/ProxyShell.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ProxyShell.txt


--------------------------------------------------------------------------------
/ProxyShellExchange.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ProxyShellExchange.txt


--------------------------------------------------------------------------------
/QueriesEachPersonRan.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/QueriesEachPersonRan.txt


--------------------------------------------------------------------------------
/RDP_by_IP.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RDP_by_IP.kql


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/README.md


--------------------------------------------------------------------------------
/RegistryCredentialTheft.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RegistryCredentialTheft.txt


--------------------------------------------------------------------------------
/RemoteLogon.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RemoteLogon.txt


--------------------------------------------------------------------------------
/RemoteWorkspaceQuery.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RemoteWorkspaceQuery.txt


--------------------------------------------------------------------------------
/Remote_Actions_By_Compromised_Account.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Remote_Actions_By_Compromised_Account.kql


--------------------------------------------------------------------------------
/ReportNoData.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ReportNoData.txt


--------------------------------------------------------------------------------
/RestartShutdownsLast7Days.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RestartShutdownsLast7Days.txt


--------------------------------------------------------------------------------
/RetentionPerTable.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RetentionPerTable.txt


--------------------------------------------------------------------------------
/RulesRuninLast30d.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/RulesRuninLast30d.txt


--------------------------------------------------------------------------------
/Running total aka cumulative sum.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Running total aka cumulative sum.txt


--------------------------------------------------------------------------------
/SMA and EMA examples.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SMA and EMA examples.txt


--------------------------------------------------------------------------------
/SQLServerAuditLogs.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SQLServerAuditLogs.txt


--------------------------------------------------------------------------------
/SecurityChangePasswordResets.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SecurityChangePasswordResets.txt


--------------------------------------------------------------------------------
/SecurityIndicentsCreatedinLastDay.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SecurityIndicentsCreatedinLastDay.txt


--------------------------------------------------------------------------------
/SecurityLogFileCleared.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SecurityLogFileCleared.txt


--------------------------------------------------------------------------------
/SentinelDataRetention.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SentinelDataRetention.txt


--------------------------------------------------------------------------------
/SentinelIncidentURLs- ALL.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SentinelIncidentURLs- ALL.txt


--------------------------------------------------------------------------------
/SharePointDownloads.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SharePointDownloads.txt


--------------------------------------------------------------------------------
/SignInbyLocation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SignInbyLocation.txt


--------------------------------------------------------------------------------
/SignatureVersionPie.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SignatureVersionPie.txt


--------------------------------------------------------------------------------
/SigninLogsByBrowserandLocation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SigninLogsByBrowserandLocation.txt


--------------------------------------------------------------------------------
/SigninLogsByDay - parsing UTC.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SigninLogsByDay - parsing UTC.txt


--------------------------------------------------------------------------------
/SigninLogsNow.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SigninLogsNow.txt


--------------------------------------------------------------------------------
/SocGhoulish.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SocGhoulish.kql


--------------------------------------------------------------------------------
/Solarwinds_ServerU_Vuln.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Solarwinds_ServerU_Vuln.txt


--------------------------------------------------------------------------------
/SolutionDataUsage.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SolutionDataUsage.txt


--------------------------------------------------------------------------------
/SophosDisabled.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SophosDisabled.txt


--------------------------------------------------------------------------------
/Sparkles.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Sparkles.txt


--------------------------------------------------------------------------------
/StopPLCIoTDevice.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/StopPLCIoTDevice.txt


--------------------------------------------------------------------------------
/StoppedServices.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/StoppedServices.kql


--------------------------------------------------------------------------------
/Strcat.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Strcat.kql


--------------------------------------------------------------------------------
/SubsCreatedPerHour.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SubsCreatedPerHour.kql


--------------------------------------------------------------------------------
/SuccessfulRoleAssignments.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SuccessfulRoleAssignments.txt


--------------------------------------------------------------------------------
/SuspicousARMActivites.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SuspicousARMActivites.txt


--------------------------------------------------------------------------------
/SysLogDaemon.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SysLogDaemon.txt


--------------------------------------------------------------------------------
/SysmonAMA.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SysmonAMA.txt


--------------------------------------------------------------------------------
/SysmonEventsStorageSize.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SysmonEventsStorageSize.txt


--------------------------------------------------------------------------------
/SysmonParser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SysmonParser.txt


--------------------------------------------------------------------------------
/SystemRestoreDisabled.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SystemRestoreDisabled.txt


--------------------------------------------------------------------------------
/SystemsReportingtoSentinel.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SystemsReportingtoSentinel.txt


--------------------------------------------------------------------------------
/SystemthatHaveUpdatedintheLast4Hours.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/SystemthatHaveUpdatedintheLast4Hours.txt


--------------------------------------------------------------------------------
/TableData.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TableData.kql


--------------------------------------------------------------------------------
/TableExistence.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TableExistence.txt


--------------------------------------------------------------------------------
/TableUsageandCost.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TableUsageandCost.txt


--------------------------------------------------------------------------------
/TablesNotIngestingDatain3Days.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TablesNotIngestingDatain3Days.txt


--------------------------------------------------------------------------------
/TeamsAADSigninLogsRelatedtoTeamOwners.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsAADSigninLogsRelatedtoTeamOwners.txt


--------------------------------------------------------------------------------
/TeamsAADSigninsSuccessUnsuccess.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsAADSigninsSuccessUnsuccess.txt


--------------------------------------------------------------------------------
/TeamsBotsorAppsAdded.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsBotsorAppsAdded.txt


--------------------------------------------------------------------------------
/TeamsChannelDeleted.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsChannelDeleted.txt


--------------------------------------------------------------------------------
/TeamsExternalRareUserAccess.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsExternalRareUserAccess.txt


--------------------------------------------------------------------------------
/TeamsExternalSuspiciousAccountsRevokedAccess.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsExternalSuspiciousAccountsRevokedAccess.txt


--------------------------------------------------------------------------------
/TeamsKQL.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsKQL.zip


--------------------------------------------------------------------------------
/TeamsListFederatedUsers.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsListFederatedUsers.txt


--------------------------------------------------------------------------------
/TeamsSingleUsersDeleteMultipleTeams.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsSingleUsersDeleteMultipleTeams.txt


--------------------------------------------------------------------------------
/TeamsSuspiciousElevationofPrivileges.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsSuspiciousElevationofPrivileges.txt


--------------------------------------------------------------------------------
/TeamsUserAddedtoTeamsChannel.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsUserAddedtoTeamsChannel.txt


--------------------------------------------------------------------------------
/TeamsWasUserRoleChanged.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TeamsWasUserRoleChanged.txt


--------------------------------------------------------------------------------
/ThreatIntelBag.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ThreatIntelBag.kql


--------------------------------------------------------------------------------
/ThreatIntelligenceTableCosts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ThreatIntelligenceTableCosts.txt


--------------------------------------------------------------------------------
/ThreatStatus.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ThreatStatus.txt


--------------------------------------------------------------------------------
/TieFighter.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TieFighter.txt


--------------------------------------------------------------------------------
/TimeBetweenDates.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TimeBetweenDates.txt


--------------------------------------------------------------------------------
/TimeRangeExample.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TimeRangeExample.txt


--------------------------------------------------------------------------------
/TooManyRecipients.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TooManyRecipients.kql


--------------------------------------------------------------------------------
/Top N by Group example via top-nested - option 2.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Top N by Group example via top-nested - option 2.txt


--------------------------------------------------------------------------------
/Top N by group example via LAG - option 1.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Top N by group example via LAG - option 1.txt


--------------------------------------------------------------------------------
/TotalIncidentsInLast6Months.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TotalIncidentsInLast6Months.txt


--------------------------------------------------------------------------------
/Tracking Privileged Account Rare Activity without AWS.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Tracking Privileged Account Rare Activity without AWS.txt


--------------------------------------------------------------------------------
/TrendofRequests.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TrendofRequests.txt


--------------------------------------------------------------------------------
/TrialExpiration.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/TrialExpiration.txt


--------------------------------------------------------------------------------
/UEBACosts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UEBACosts.txt


--------------------------------------------------------------------------------
/UEBAEstimate.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UEBAEstimate.kql


--------------------------------------------------------------------------------
/UEBA_IsDormant.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UEBA_IsDormant.txt


--------------------------------------------------------------------------------
/URLDetonation/Azure_Sentinel_analytic_rule - URL Detonation.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/URLDetonation/Azure_Sentinel_analytic_rule - URL Detonation.json


--------------------------------------------------------------------------------
/URLDetonation/URLDetonate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/URLDetonation/URLDetonate.png


--------------------------------------------------------------------------------
/URLDetonation/URLsWatchlist.csv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/URLDetonation/URLsWatchlist.csv


--------------------------------------------------------------------------------
/USB_Copy_7_days.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/USB_Copy_7_days.kql


--------------------------------------------------------------------------------
/UnsuccessfulRulesinLast24.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UnsuccessfulRulesinLast24.txt


--------------------------------------------------------------------------------
/UpdateComplianceBarChart.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UpdateComplianceBarChart.txt


--------------------------------------------------------------------------------
/UpdateDataConnectors.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UpdateDataConnectors.txt


--------------------------------------------------------------------------------
/UseCases_by_MITRE.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UseCases_by_MITRE.kql


--------------------------------------------------------------------------------
/UserAccountLockedAAD.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UserAccountLockedAAD.txt


--------------------------------------------------------------------------------
/Usergrantedaccesstoanapp.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Usergrantedaccesstoanapp.txt


--------------------------------------------------------------------------------
/UsersConnectFromMultipleCity.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UsersConnectFromMultipleCity.txt


--------------------------------------------------------------------------------
/UsersIPsPorts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/UsersIPsPorts.txt


--------------------------------------------------------------------------------
/WatchListAudit.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WatchListAudit.txt


--------------------------------------------------------------------------------
/WatchListDelete.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WatchListDelete.txt


--------------------------------------------------------------------------------
/WatchlistNOTin.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WatchlistNOTin.txt


--------------------------------------------------------------------------------
/Watchlist_Basics:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Watchlist_Basics


--------------------------------------------------------------------------------
/Watchlist_Item_Delete.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Watchlist_Item_Delete.kql


--------------------------------------------------------------------------------
/WatchlistsCosts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WatchlistsCosts.txt


--------------------------------------------------------------------------------
/WebshellPosts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WebshellPosts.txt


--------------------------------------------------------------------------------
/WhenUEBAwasEnabledByWho.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WhenUEBAwasEnabledByWho.txt


--------------------------------------------------------------------------------
/WhiteList-FindWhoAccessedAzureSentinelthatShouldNot.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WhiteList-FindWhoAccessedAzureSentinelthatShouldNot.txt


--------------------------------------------------------------------------------
/WhoChangedConditionalAccessPolicy.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WhoChangedConditionalAccessPolicy.txt


--------------------------------------------------------------------------------
/WhoChangedTheirAADPassword.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WhoChangedTheirAADPassword.txt


--------------------------------------------------------------------------------
/WhoDeletedAlertRule.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WhoDeletedAlertRule.txt


--------------------------------------------------------------------------------
/WhoModifiedAnalyticsRule.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WhoModifiedAnalyticsRule.txt


--------------------------------------------------------------------------------
/Windows10LoggedInLast7Days.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Windows10LoggedInLast7Days.txt


--------------------------------------------------------------------------------
/WiresharkRSSTraffic.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WiresharkRSSTraffic.txt


--------------------------------------------------------------------------------
/WorkWeek.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WorkWeek.txt


--------------------------------------------------------------------------------
/WorkbookCreation.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WorkbookCreation.txt


--------------------------------------------------------------------------------
/WorkbookDeletion.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WorkbookDeletion.txt


--------------------------------------------------------------------------------
/WorkspaceIDs.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WorkspaceIDs.kql


--------------------------------------------------------------------------------
/Workspaces90DaysRetention.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/Workspaces90DaysRetention.kql


--------------------------------------------------------------------------------
/WorkspacesAndTables.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/WorkspacesAndTables.txt


--------------------------------------------------------------------------------
/ZeroLogon_Ports.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/ZeroLogon_Ports.txt


--------------------------------------------------------------------------------
/acrossworkspaceforFunction.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/acrossworkspaceforFunction.txt


--------------------------------------------------------------------------------
/adminskql.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/adminskql.txt


--------------------------------------------------------------------------------
/allreportingcomputers.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/allreportingcomputers.txt


--------------------------------------------------------------------------------
/computersendingmostsecurityalerts.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/computersendingmostsecurityalerts.txt


--------------------------------------------------------------------------------
/computersunhealthystate.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/computersunhealthystate.txt


--------------------------------------------------------------------------------
/dataingestionthresholdlimits.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/dataingestionthresholdlimits.txt


--------------------------------------------------------------------------------
/dataparser.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/dataparser.txt


--------------------------------------------------------------------------------
/dataproviders.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/dataproviders.txt


--------------------------------------------------------------------------------
/devices.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/devices.txt


--------------------------------------------------------------------------------
/excessivefailedlogins.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/excessivefailedlogins.txt


--------------------------------------------------------------------------------
/heartbeatforscomagent.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/heartbeatforscomagent.txt


--------------------------------------------------------------------------------
/isempty.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/isempty.txt


--------------------------------------------------------------------------------
/maxoutputcolumns.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/maxoutputcolumns.kql


--------------------------------------------------------------------------------
/meraki_GROK.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/meraki_GROK.txt


--------------------------------------------------------------------------------
/multipleLAworkspaces.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/multipleLAworkspaces.txt


--------------------------------------------------------------------------------
/qualys.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/qualys.txt


--------------------------------------------------------------------------------
/savingperworkbook.kql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/savingperworkbook.kql


--------------------------------------------------------------------------------
/scalarexpression.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/scalarexpression.txt


--------------------------------------------------------------------------------
/serversenrolledinWDATP.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rod-trent/SentinelKQL/HEAD/serversenrolledinWDATP.txt


--------------------------------------------------------------------------------
/thresholds.csv:
--------------------------------------------------------------------------------
1 | Computer,Threshold
2 | Rod,100
3 | 


--------------------------------------------------------------------------------