- How to visualize graphs in Kusto using Plotly and Python
- Threat hunting with Microsoft Sentinel
- Microsoft Security Webinar: Modernise your SOC with Microsoft Sentinel & AI | Watch Now
- Azure/Azure-Sentinel: Cloud-native SIEM for intelligent security analytics for your entire enterprise.
- rod-trent/Sentinel-SOC-101: Content and collateral for the Microsoft Sentinel SOC 101 series
- Microsoft Azure Marketplace
- KQL
Useful queries
Find any changes to access package policies:
AuditLogs
| where TimeGenerated > ago(730d)
| where Category == "EntitlementManagement"
| where ActivityDisplayName contains "policy"
| mv-expand TargetResources, AdditionalDetails
| where tostring(TargetResources.id) == "2f28e35c-3d01-46b4-b820-5dfff2aa08e5"Find issues where executable has been blocked by Defender:
DeviceProcessEvents
| where FolderPath startswith "C:\\Tools\\opengrep-playground-win32-x64"
DeviceEvents
| where ActionType in ("Blocked", "Quarantined", "Remediated")
| where FolderPath startswith "C:\\Tools\\opengrep-playground-win32-x64"
DeviceFileEvents
| where FolderPath startswith "C:\\Tools\\opengrep-playground-win32-x64"Azure DevOps activity:
AzureDevOpsAuditing
| where TimeGenerated > ago(90d)
| where ActorUPN == "user@example.org"
| where ProjectName == "your-project"
| project TimeGenerated, ActorUPN, ActorDisplayName, OperationName, Details
| sort by TimeGenerated desc