Rule Sample

Log Analytics:

Logs

Rules

Analytics

OfficeActivity
| where ingestion_time() > ago(5m)
| where tolower(OfficeWorkload) matches regex "onedrive|sharepoint" and tolower(Operation) matches regex "filesyncdownload|filedownload" and UserId != "app@sharepoint"
| summarize initial_time = min(TimeGenerated), end_time = max(datetime_add("Second",1,TimeGenerated)), operation=make_set(Operation,5), workload=make_set(OfficeWorkload,5), file_name=make_set(SourceFileName,5), file_count=dcount(OfficeId) by bin(TimeGenerated,5m),UserId, ClientIP
| project-rename src_ip=ClientIP, src_user=UserId
| where file_count>500

Microsoft

Ingestion Lag

Rule Sample

Union Alert

Splunk to Sentinel Logic

Microsoft Security

Ignore when another rule matches

Qradar expiring whitelist

Qradar global whitelist

Reference Maps

Splunk Use Case tracker

Splunk total run time

Splunk Drill Down Events

Splunk Results Token

LogRhythm Or/And Previous

Cybersecurity Mesh Architecture

NTLM Brute Force

Databricks Training

Jira Story Prompts

Rule Sample

Log Analytics:

Rules