This resource collection provides best practices to generate insights from signals contained in event data (bring Log Data, Actionable Intelligence, Analytics Rules, and Hunting Rules, Guided hunting experiences, ML Analysis) to create detections out of semi-structured data. 

Analysis of raw operational data in which signs of malicious activity may be present is critical to the success of security teams. Microsoft Sentinel includes a cloud native, automatically scaled security information and event management (SIEM) solution. This brings unprocessed data to Microsoft Sentinel and empowers you to use Microsoft Sentinel’s Hunting experiences and detection automation capabilities (both query and ML-based) to identify new threats and automate continuous detection of already identified threats evidenced in the data you supply.

Examples of this class of data are Syslog, CEF over Syslog, application logs, firewall logs, authentication logs, access logs, among others.

In this collection, you'll find a reference solution architecture, a full working, cloud-ready GitHub Developer CLI to get you started, and some materials to help you understand how Microsoft Sentinel helps you create detections.