Azure Defend#
Threat-hunting and detection tooling for Azure environments. Sentinel sits at the SIEM and SOAR layer, Defender for Cloud carries the runtime workload protection, and the Kusto Query Language ties the queries the operator writes against either. The hunt-query repository on GitHub is where Microsoft and the community publish the day-zero detections the operator should mine during an incident.
Resources#
Sentinel hunting queries at Azure/Azure-Sentinel, the working detection library the operator clones first.
Defender for Cloud advanced hunting at https://learn.microsoft.com/azure/defender-for-cloud/, workload-level posture management on top of the SIEM.
Uncoder.IO at https://uncoder.io/, translates queries across Sigma, Sentinel KQL, Elastic, Splunk, ATP, and the rest of the SIEM dialect catalogue.
References#
Azure CLI for the operator’s CLI surface.
Azure Exploit for the matching offensive view.