cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0 Fork0 Star0

Code Commits Issues Pull requests Actions Insights Security

84542793ff7980cc6e7e0b1a0cc691410bd17cc5

Find a branch or tag

Branches

84542793ff7980cc6e7e0b1a0cc691410bd17cc5

Clone

HTTPS

Download ZIP

Name	Last committed	Last updated
Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.8454279 7 years ago
.github	Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.	7 years ago
Dashboards	Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.	7 years ago
Detections	Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.	7 years ago
docs	Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.	7 years ago
Exploration Queries	Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.	7 years ago
Functions	Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs.	7 years ago
Hunting Queries	Merge pull request #138 from Azure/deploy_hunting_queries	7 years ago
Notebooks	Removed wording	7 years ago
Parsers	Create Readme	7 years ago
Playbooks	Update ReadMe.md	7 years ago

About

No description, website, or topics provided.

No topics configured for this repository.

No releases published yet.

No packages published yet.

Edit repository details

Custom properties

No custom properties are defined for this repository.

Activity

Replaced 'Domain' with 'Computer' in the join because domain will be 'Builtin' for the group and host/domain for the user, preventing a match. Also replaced 'CreatedUser' with 'CreatedUserSid' because the group add entry may not reliably include the name of the user added to the group (SID is also a more reliable identifier in general). Lasltly, removed 'where CreatedUserTime < GroupAddTime' because I'm not sure any other case is possible without manually rigging the logs. (7 years ago)

Languages

No language metadata available.

cloudflare/Azure-Sentinel

Branches

Tags

Clone