Microsoft Sentinel hunting queries and Analytics rules

Initially the queries and Analytics Rules in this repository were related to the Azure Attack Paths blog post. Over time, I also add new Analytics Rules that are related to other blog posts if mine.

All queries are ready to be used in Microsoft Sentinel.

HuntingQueries

1. Azure VM Run Command or Custom Script execution
2. Changes to Azure Lighthouse delegation
3. Grant high privilege Azure AD role to identity
4. Grant high privilege Microsoft Graph permissions

AnalyticsRules

• Azure VM Run Command or Custom Script execution detected
• Dangerous API permission consented
• High Privileged Role assigned
• A new Lighthouse service provider was added
• Owner added to high privileged application
• Password reset on high privileged user
• Secret added to high privileged application