- If you're setting up a SIEM, you have to know event IDs - Splunk and Sentinel are super expensive - [SIEM Framework](../../../../📁%2098%20-%20ARCHIVE/GradSchoolProjects/SIEM%20Framework/SIEM%20Framework.md) - More analytics rules - [Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules at master · Azure/Azure-Sentinel](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules) - [Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml at master · Azure/Azure-Sentinel](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SigninPasswordSpray.yaml?utm_source=chatgpt.com) - Sysmon is way better than Windows itself