azure/azure-sentinel

★ 5,839PythonAudience · ops devopsComplexity · 4/5Setup · hard

Mindmap

mindmap
  root((azure-sentinel))
    Content Types
      Detection rules
      Hunting queries
      Workbooks
      Playbooks
    Tech
      KQL queries
      YAML structure
    Use Cases
      Threat detection
      Security dashboards
      Automated response
    Community
      Open contributions
      Automated validation

mindmap root((azure-sentinel)) Content Types Detection rules Hunting queries Workbooks Playbooks Tech KQL queries YAML structure Use Cases Threat detection Security dashboards Automated response Community Open contributions Automated validation

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Import pre-built detection rules into Microsoft Sentinel to automatically flag suspicious activity without writing queries from scratch.

USE CASE 2

Run hunting queries to manually investigate a potential threat across your organization's log data.

USE CASE 3

Set up automated response playbooks that trigger when a security alert fires to contain threats faster.

USE CASE 4

Contribute custom detection rules or improvements to the community library via pull request.

Tech stack

PythonKQLYAML

Getting it running

Difficulty · hard Time to first run · 1h+

Requires an active Microsoft Sentinel workspace and familiarity with KQL to customize or author rules.

In plain English

This repository is a community content library for Microsoft Sentinel and Microsoft 365 Defender, two security products from Microsoft. Microsoft Sentinel is a cloud-based SIEM, which stands for Security Information and Event Management: a system that collects log data from across an organization's computing environment and looks for patterns that might indicate an attack or breach. This repository holds the ready-made content that helps teams get started with that product. The content includes detection rules (queries that flag suspicious activity automatically), hunting queries (queries security analysts run manually when investigating a threat), workbooks (visual dashboards for security data), and playbooks (automated response workflows that trigger when an alert fires). There are hundreds of items across dozens of categories, organized by data source and threat type. The queries are written in a language called KQL, short for Kusto Query Language, which is the query syntax used in Microsoft's cloud logging and analytics platform. Teams can import these files directly into their Sentinel workspace, use them as starting points, or adapt them to their own environment. The repository is run by Microsoft but open to community contributions. Anyone can submit new detection rules or improvements to existing ones by creating a pull request. When a pull request is submitted, automated checks validate that the YAML structure is correct and that the KQL syntax is valid before a human reviewer looks at it. For non-technical stakeholders: if your organization uses Microsoft Sentinel and someone mentions pulling content from this repository, it means they are adding pre-built security rules and dashboards from the official Microsoft community library rather than writing everything from scratch.

Copy-paste prompts

Prompt 1

I'm setting up Microsoft Sentinel for my organization. How do I import detection rules from the azure-sentinel GitHub repository into my Sentinel workspace?

Prompt 2

I need to write a KQL hunting query to find suspicious login patterns in Microsoft Sentinel. Walk me through the KQL syntax and give me a starting template.

Prompt 3

How do I adapt an existing Azure Sentinel detection rule YAML file to match my organization's specific log source and field names?

Prompt 4

We want a Sentinel playbook that automatically disables a user account when a brute-force alert fires. Help me set that up using the playbook templates in this repository.

Open on GitHub → Explain another repo

← azure on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.