Update

Graph API/AzureHound.md

@@ -35,7 +35,7 @@ MicrosoftGraphActivityLogs
 | extend GraphAPIResource = tostring(split(GraphAPIPath, "/")[2])
 | where GraphAPIResource in (ReconResources)
 | extend ObjectId = coalesce(UserId, ServicePrincipalId)
-// Filer whitelist
+// Filter whitelist
 | where not(ObjectId in (WhitelistedObjects))
 | summarize TotalResponseSize = sum(ResponseSizeBytes), UniqueRequests = dcount(RequestId), Requests = make_set(RequestUri, 1000), Paths = make_set(GraphAPIPath), Resources = make_set(GraphAPIResource), UniqueResourceCount = dcount(GraphAPIResource) by UserId, bin(TimeGenerated, 1h), UserAgent, ObjectId
 | where UniqueRequests >= UniqueRequestThreshold and TotalResponseSize >= TotalResponseSizeTHreshold and UniqueResourceCount >= ResourceThreshold

README.md

@@ -33,6 +33,8 @@ More detailed KQL information can be found on my blog page: https://kqlquery.com
 - [Detecting Post-Exploitation Behaviour](https://kqlquery.com/posts/detecting-post-exploitation-behaviour/)
 - [Investigating Microsoft Graph Activity Logs](https://kqlquery.com/posts/graphactivitylogs/)
 
+For Sentinel Automations see the Repository [Sentinel-Automation](https://github.com/Bert-JanP/Sentinel-Automation).
+
 # KQL Categories
 
 The queries in this repository are split into different categories. The MITRE ATT&CK category contains a list of queries mapped to the tactics of the MITRE Framework. The product section contains queries specific to Microsoft security products. The Processes section contains several queries that can be used in common cyber processes to make things easier for security analysts. In addition, there is a special category for Zero Day detections. Lastly, there is an informational section that explains the use of KQL using examples.