-
Notifications
You must be signed in to change notification settings - Fork 3.1k
Home
Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Azure Sentinel provides a platform for different data sources to come together. Different types of contributions like hunting, detection and investigation queries, automated workflows, visualizations, and much more can be built to use one or many of these data sources. These contributions enable relevant security insights for automated hunting, alerting, incident tracking, investigations and response experiences in Azure Sentinel.
Azure Sentinel Community provides a forum for the community members, aka, Threat Hunters, to join in and submit these contributions via GitHub Pull Requests or contribution ideas as GitHub Issues. These contributions can be just based on your idea of the value to enterprise your contribution provides or can be from the GitHub open issues list or even enhancements to existing contributions. Refer to the Get Started section to start flowing in your submissions!
You can contribute any of the following to enhance Azure Sentinel end-to-end customer experiences. Mash up multiple Azure Sentinel data sources for enriched experiences.
The table in this section outlines the following information for each contribution type to get started.
- Value the specific contribution provides in Azure Sentinel
- Link to relevant product feature documentation that details the experience the contribution will enable
- Link to contribution guidance to help get you started on building out your contribution
- Additional resources to assist you in developing and validating your contributions
Contribution | Enables… | Get Started Links | Additional Resources |
---|---|---|---|
Playbook | setting up automated procedures while responding to threats |
Product Documentation Contribution Guidance |
Create Azure Logic Apps playbooks |
Workbook | data insights and monitoring with visualizations |
Product Documentation Contribution Guidance |
Create Azure Monitor Workbooks |
Hunting | quick start security threat hunting capabilities with queries |
Product Documentation Contribution Guidance |
Query style guide Tips ‘n tricks Kusto Query Language(KQL) |
Notebook | advanced hunting capabilities using Jupyter / Azure Notebooks |
Product Documentation Contribution Guidance |
Create Azure Notebooks Jupyter Notebooks Jupyter NbViewer IPython guidance MSTICPY tools |
Analytic Rule Template | customized alert generation and automated incident creation with queries | Product Documentation Contribution Guidance |
Query style guide Tips ‘n tricks Kusto Query Language(KQL) |
Investigation Graph | full investigation scope discoverability with queries |
Product Documentation Contribution Guidance |
Query style guide Tips ‘n tricks Kusto Query Language(KQL) |
Data Connectors | collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds |
Product Documentation Contribution Guidance |
Common Event Format (CEF) based connections |
Functionally validate whether your contribution works by trying it out in Azure Sentinel. The respective product documentation linked above will provide information on how your contribution can be consumed in Azure Sentinel. Besides this, at the time of submitting your Pull Request, automatic GitHub validations using Azure Pipelines is enabled on this repository for basic syntactical checks of the contributions. Follow the test guidance to add any additional tests needed to validate specific scenarios for your contributions as needed.
After you have developed and tested your contribution works as expected, follow the general contribution guidelines for Azure Sentinel to open a Pull Request to submit your contribution. We will review your submission prior to merging your PR within 7 days.
We are announcing a special program for our Threat Hunters community, featuring:
- Rewards from $250 up to $1000 for a variety of contributions. The first submission that meets the requirements gets the reward. Rewards are subject to Microsoft terms and conditions.
- We will publish a wish list of contributions (wish list) with requirements on a periodic basis with associated Rewards for each of these items ranging from $250 to $1000.
- Each item on the wish list will be on the Azure Sentinel GitHub repository as GitHub Issue and labelled as "Reward Wish List Item" with the associated Reward amount for that contribution, for example, "Reward:$500".
- Follow these steps to start your contributions.
- Choose any item from the wish list
- Develop and test the contribution per the requirements specified for that item
- Submit the contribution per the Azure Sentinel contribution guidelines as a GitHub Pull Request.
- Remember to associate the GitHub Issue to the GitHub Pull Request of the submission to be eligible for Rewards.
- To provide you visibility on specific Wish list items we will label these items as follows. You can choose to subscribe to specific issues to be updated on changes to these wish list items.
- "Reward:Submissions Received" to indicate that the Wish list item has at least one submission received
- "Reward:Review in Progress" to indicate we are reviewing submissions
- "Reward:Wish List Item Delivered" to indicate the first eligible contribution has been identified and item is removed from the wish list
- Feel free to contribute your idea to the wish list by filing a GitHub Feature Request template
- Recognition of top community contributors on GitHub, in blog posts, and Tweets.
We value your feedback. Here are some channels to help surface your questions or feedback:
- General product specific Q&A – Join in the Azure Sentinel Tech Community conversations
- Product specific feature requests – Upvote or post new on Azure Sentinel user voice
- Product specific bugs - File an Azure Sentinel support ticket
- Report content you'd like to see in this repo or bugs for content in this repo / contribution bugs – File a GitHub Issue using Bug template
- General feedback on community, content and contribution process – File a GitHub Issue using Feature Request template
We can connect on these Social Media channels as well:
- Ingest Custom Logs via REST API