Initially the queries and Analytics Rules in this repository were related to the Azure Attack Paths blog post. Over time, I also add new Analytics Rules that are related to other blog posts if mine.
All queries are ready to be used in Microsoft Sentinel.
- Azure VM Run Command or Custom Script execution
- Changes to Azure Lighthouse delegation
- Grant high privilege Azure AD role to identity
- Grant high privilege Microsoft Graph permissions
- Azure VM Run Command or Custom Script execution detected
- Dangerous API permission consented
- High Privileged Role assigned
- A new Lighthouse service provider was added
- Owner added to high privileged application
- Password reset on high privileged user
- Secret added to high privileged application
Some external data sources need additional modification or are not available through the externaldata function directly. In that case I will add them here.
| Source | Description | Modification | Reason |
|---|---|---|---|
https://mask-api.icloud.com/egress-ip-ranges.csv |
Current list of all IP addresses of the iCloud Private Relay service. https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/ |
Added column to distiguish between IPv4 and IPv6 | externaldata cannot fetch the CSV from Apple servers |
https://www.gstatic.com/g1vpn/geofeed |
Current list of all IP addresses of the Google One VPN service. https://one.google.com/about/vpn/howitworks |
Added column to distiguish between IPv4 and IPv6 | externaldata cannot fetch the CSV from Google server |
https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes |
Microsoft File systems driver allocated filter altitudes | Convert from markdown to csv |
Along some of my blog posts I release Logic Apps related to Microsoft Sentinel. Those
| Filename | Blogpost |
|---|---|
| SyncDfCAlertsWithSentinelIncidents-SMI.arm.json | Sync Defender for Cloud Alerts with Sentinel Incidents |
| SyncDfCAlertsWithSentinelIncidents-UMI.arm.json | Sync Defender for Cloud Alerts with Sentinel Incidents |
| AutoCloseAppleiCloudPrivateRelayIncidents.arm.json | Anonymous IP address involving Apple iCloud Private Relay |
| Template.arm.json | Empty Logic App template containing all things required for a Sentinel Incident Playbook |