Convert Figma logo to code with AI

Azure logoAzure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.

4,480
2,952
4,480
101

Top Related Projects

Splunk Security Content

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

8,252

Main Sigma Rule Repository

Quick Overview

Azure Sentinel is Microsoft's cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automated Response) solution. It provides intelligent security analytics and threat intelligence across the enterprise, offering a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Pros

  • Seamless integration with Microsoft 365 and Azure services
  • Scalable and cloud-native, reducing infrastructure costs
  • Powerful AI and Machine Learning capabilities for threat detection
  • Extensive customization options with KQL (Kusto Query Language)

Cons

  • Steep learning curve, especially for those new to KQL
  • Can be expensive for large-scale deployments
  • Limited support for non-Microsoft environments compared to some competitors
  • Requires significant setup and tuning for optimal performance

Getting Started

To get started with Azure Sentinel:

  1. Sign in to the Azure portal (https://portal.azure.com)
  2. Create a Log Analytics workspace if you don't have one
  3. Navigate to Azure Sentinel in the Azure portal
  4. Click "Add" and select your workspace
  5. Connect data sources (e.g., Office 365, Azure AD, Azure Activity)
  6. Enable built-in analytics rules or create custom ones
  7. Set up workbooks and dashboards for visualization
  8. Configure automated responses and playbooks as needed

For detailed instructions, refer to the official Microsoft documentation: https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard

Competitor Comparisons

Splunk Security Content

Pros of security_content

  • More versatile and platform-agnostic, usable across various security tools and environments
  • Extensive community-driven content with frequent updates and contributions
  • Includes a wider range of security use cases and detections beyond just SIEM

Cons of security_content

  • Requires more manual configuration and integration compared to Azure Sentinel's out-of-the-box solutions
  • May lack some of the deep Azure-specific integrations and automations provided by Azure Sentinel

Code Comparison

security_content:

name: Detect Suspicious PowerShell Commands
description: Identifies potentially malicious PowerShell commands
search: |
  index=windows sourcetype=WinEventLog:Security EventCode=4688
  | regex CommandLine="(?i)powershell.*(-enc|-encodedcommand)"

Azure-Sentinel:

id: 4a985b76-d6c3-4ac3-9300-79d95e4c1a9c
name: Suspicious PowerShell Commands
description: Detects potentially malicious PowerShell commands
query: |
  SecurityEvent
  | where EventID == 4688
  | where CommandLine contains "powershell" and (CommandLine contains "-enc" or CommandLine contains "-encodedcommand")

Both repositories provide valuable security content, with security_content offering more flexibility and community-driven updates, while Azure-Sentinel provides tighter integration with Azure services and easier implementation for Azure environments. The code examples show similar detection logic, but with syntax differences specific to their respective platforms.

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Pros of ThreatHunter-Playbook

  • Platform-agnostic, providing threat hunting techniques applicable across various environments
  • Community-driven with contributions from security researchers worldwide
  • Detailed explanations of attack techniques and corresponding detection methods

Cons of ThreatHunter-Playbook

  • Lacks direct integration with a specific SIEM platform
  • May require more manual effort to implement detection rules
  • Updates might be less frequent compared to Azure-Sentinel

Code Comparison

ThreatHunter-Playbook (YAML):

title: Suspicious PowerShell Download Cradle
id: 5fd78754-37d4-4ea3-9fa8-b832801ce353
status: experimental
description: Detects suspicious PowerShell download cradles

Azure-Sentinel (KQL):

SecurityEvent
| where EventID == 4688
| where Process contains "powershell.exe"
| where CommandLine contains "Net.WebClient" and CommandLine contains "DownloadString"

The ThreatHunter-Playbook example shows a YAML-based detection rule structure, while Azure-Sentinel uses Kusto Query Language (KQL) for defining detection logic. ThreatHunter-Playbook focuses on describing the technique, while Azure-Sentinel provides a ready-to-use query for implementation in the Azure environment.

8,252

Main Sigma Rule Repository

Pros of Sigma

  • Platform-agnostic, supporting multiple SIEM and log management systems
  • Community-driven with a large collection of detection rules
  • Flexible and extensible rule format

Cons of Sigma

  • Requires conversion tools for specific platforms
  • Less integrated with cloud services compared to Azure Sentinel
  • May require more manual effort for implementation and maintenance

Code Comparison

Sigma rule example:

title: Suspicious Process Creation
detection:
    selection:
        EventID: 1
        Image: '*\powershell.exe'
    condition: selection

Azure Sentinel KQL query example:

SecurityEvent
| where EventID == 1
| where Image contains "powershell.exe"

Key Differences

  • Sigma focuses on generic, portable detection rules
  • Azure Sentinel provides a complete SIEM solution with built-in Azure integration
  • Sigma requires conversion for specific platforms, while Azure Sentinel uses native KQL
  • Azure Sentinel offers more advanced analytics and machine learning capabilities
  • Sigma has a larger community-contributed rule repository

Both projects aim to improve threat detection and response, but cater to different use cases and environments. Sigma is ideal for organizations using multiple security tools, while Azure Sentinel is best for those heavily invested in the Azure ecosystem.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Microsoft Sentinel and Microsoft 365 Defender

Welcome to the unified Microsoft Sentinel and Microsoft 365 Defender repository! This repository contains out of the box detections, exploration queries, hunting queries, workbooks, playbooks and much more to help you get ramped up with Microsoft Sentinel and provide you security content to secure your environment and hunt for threats. The hunting queries also include Microsoft 365 Defender hunting queries for advanced hunting scenarios in both Microsoft 365 Defender and Microsoft Sentinel. You can also submit to issues for any samples or resources you would like to see here as you onboard to Microsoft Sentinel. This repository welcomes contributions and refer to this repository's wiki to get started. For questions and feedback, please contact AzureSentinel@microsoft.com

Resources

We value your feedback. Here are some channels to help surface your questions or feedback:

  1. General product specific Q&A for SIEM and SOAR - Join in the Microsoft Sentinel Tech Community conversations
  2. General product specific Q&A for XDR - Join in the Microsoft 365 Defender Tech Community conversations
  3. Product specific feature requests - Upvote or post new on Microsoft Sentinel feedback forums
  4. Report product or contribution bugs - File a GitHub Issue using Bug template
  5. General feedback on community and contribution process - File a GitHub Issue using Feature Request template

Contribution guidelines

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

Add in your new or updated contributions to GitHub

Note: If you are a first time contributor to this repository, General GitHub Fork the repo guidance before cloning or Specific steps for the Sentinel repo.

General Steps

Brand new or update to a contribution via these methods:

Pull Request

  • After you push your changes, you will need to submit the Pull Request (PR)
  • Details about the Proposed Changes are required, be sure to include a minimal level of detail so a review can clearly understand the reason for the change and what he change is related to in the code.
  • After submission, check the Pull Request for comments
  • Make changes as suggested and update your branch or explain why no change is needed. Resolve the comment when done.

Pull Request Detection Template Structure Validation Check

As part of the PR checks we run a structure validation to make sure all required parts of the YAML structure are included. For Detections, there is a new section that must be included. See the contribution guidelines for more information. If this section or any other required section is not included, then a validation error will occur similar to the below. The example is specifically if the YAML is missing the entityMappings section:

A total of 1 test files matched the specified pattern.
[xUnit.net 00:00:00.95]     Kqlvalidations.Tests.DetectionTemplateStructureValidationTests.Validate_DetectionTemplates_HaveValidTemplateStructure(detectionsYamlFileName: "ExcessiveBlockedTrafficGeneratedbyUser.yaml") [FAIL]
  X Kqlvalidations.Tests.DetectionTemplateStructureValidationTests.Validate_DetectionTemplates_HaveValidTemplateStructure(detectionsYamlFileName: "ExcessiveBlockedTrafficGeneratedbyUser.yaml") [104ms]
  Error Message:
   Expected object to be <null>, but found System.ComponentModel.DataAnnotations.ValidationException with message "An old mapping for entity 'AccountCustomEntity' does not have a matching new mapping entry."

Pull Request KQL Validation Check

As part of the PR checks we run a syntax validation of the KQL queries defined in the template. If this check fails go to Azure Pipeline (by pressing on the errors link on the checks tab in your PR) Azurepipeline In the pipeline you can see which test failed and what is the cause: Pipeline Tests Tab

Example error message:

A total of 1 test files matched the specified pattern.
[xUnit.net 00:00:01.81]     Kqlvalidations.Tests.KqlValidationTests.Validate_DetectionQueries_HaveValidKql(detectionsYamlFileName: "ExcessiveBlockedTrafficGeneratedbyUser.yaml") [FAIL]
  X Kqlvalidations.Tests.KqlValidationTests.Validate_DetectionQueries_HaveValidKql(detectionsYamlFileName: "ExcessiveBlockedTrafficGeneratedbyUser.yaml") [21ms]
  Error Message:
   Template Id:fa0ab69c-7124-4f62-acdd-61017cf6ce89 is not valid Errors:The name 'SymantecEndpointProtection' does not refer to any known table, tabular variable or function., Code: 'KS204', Severity: 'Error', Location: '67..93',The name 'SymantecEndpointProtection' does not refer to any known table, tabular variable or function., Code: 'KS204', Severity: 'Error', Location: '289..315'

If you are using custom logs table (a table which is not defined on all workspaces by default) you should verify your table schema is defined in json file in the folder Azure-Sentinel\.script\tests\KqlvalidationsTests\CustomTables

Example for table tablexyz.json

{
  "Name": "tablexyz",
  "Properties": [
    {
      "Name": "SomeDateTimeColumn",
      "Type": "DateTime"
    },
    {
      "Name": "SomeStringColumn",
      "Type": "String"
    },
    {
      "Name": "SomeDynamicColumn",
      "Type": "Dynamic"
    }
  ]
}

Run KQL Validation Locally

In order to run the KQL validation before submitting Pull Request in you local machine:

  • You need to have .Net Core 3.1 SDK installed How to download .Net (Supports all platforms)
  • Open Shell and navigate to Azure-Sentinel\\.script\tests\KqlvalidationsTests\
  • Execute dotnet test

Example of output (in Ubuntu):

Welcome to .NET Core 3.1!
---------------------
SDK Version: 3.1.403

Telemetry
---------
The .NET Core tools collect usage data in order to help us improve your experience. The data is anonymous. It is collected by Microsoft and shared with the community. You can opt-out of telemetry by setting the DOTNET_CLI_TELEMETRY_OPTOUT environment variable to '1' or 'true' using your favorite shell.

Read more about .NET Core CLI Tools telemetry: https://aka.ms/dotnet-cli-telemetry

----------------
Explore documentation: https://aka.ms/dotnet-docs
Report issues and find source on GitHub: https://github.com/dotnet/core
Find out what's new: https://aka.ms/dotnet-whats-new
Learn about the installed HTTPS developer cert: https://aka.ms/aspnet-core-https
Use 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli-docs
Write your first app: https://aka.ms/first-net-core-app
--------------------------------------------------------------------------------------
Test run for /mnt/c/git/Azure-Sentinel/.script/tests/KqlvalidationsTests/bin/Debug/netcoreapp3.1/Kqlvalidations.Tests.dll(.NETCoreApp,Version=v3.1)
Microsoft (R) Test Execution Command Line Tool Version 16.7.0
Copyright (c) Microsoft Corporation.  All rights reserved.

Starting test execution, please wait...

A total of 1 test files matched the specified pattern.

Test Run Successful.
Total tests: 171
     Passed: 171
 Total time: 25.7973 Seconds

Detection schema validation tests

Similarly to KQL Validation, there is an automatic validation of the schema of a detection. The schema validation includes the detection's frequency and period, the detection's trigger type and threshold, validity of connectors Ids (valid connectors Ids list), etc. A wrong format or missing attributes will result with an informative check failure, which should guide you through the resolution of the issue, but make sure to look into the format of already approved detection.

Run Detection Schema Validation Locally

In order to run the KQL validation before submitting Pull Request in you local machine:

  • You need to have .Net Core 3.1 SDK installed How to download .Net (Supports all platforms)
  • Open Shell and navigate to Azure-Sentinel\\.script\tests\DetectionTemplateSchemaValidation\
  • Execute dotnet test

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

For information on what you can contribute and further details, refer to the "get started" section on the project's wiki.