From e2477233d1f56afb38234fa2a795023d91d273d4 Mon Sep 17 00:00:00 2001
From: Mohammed Abdullah <168697713+Dodgeqtr@users.noreply.github.com>
Date: Thu, 30 Jan 2025 16:05:22 +0300
Subject: [PATCH] Restore deleted built-in query in Microsoft Sentinel

---
 .devcontainer/devcontainer.json                        |  6 ++++++
 ...ng credentials to legitimate OAuth Applications.kql |  5 +++++
 README.md                                              | 10 ++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 .devcontainer/devcontainer.json
 create mode 100644 Azure Services/Azure Active Directory Logs/Queries/Security/Adding credentials to legitimate OAuth Applications.kql

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
new file mode 100644
index 00000000..30d11aac
--- /dev/null
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,6 @@
+{
+  "tasks": {
+    "build": "echo \"No build process is defined for this repository.\"",
+    "test": "echo \"No tests available for this repository.\""
+  }
+}
\ No newline at end of file
diff --git a/Azure Services/Azure Active Directory Logs/Queries/Security/Adding credentials to legitimate OAuth Applications.kql b/Azure Services/Azure Active Directory Logs/Queries/Security/Adding credentials to legitimate OAuth Applications.kql
new file mode 100644
index 00000000..69c059bd
--- /dev/null
+++ b/Azure Services/Azure Active Directory Logs/Queries/Security/Adding credentials to legitimate OAuth Applications.kql	
@@ -0,0 +1,5 @@
+SecurityEvent
+| where EventID == 4720 or EventID == 4732 or EventID == 4740
+| where TargetUserName has "OAuth"
+| summarize count() by TargetUserName, EventID, EventTime
+| project TargetUserName, EventID, EventTime
diff --git a/README.md b/README.md
index 87b3a720..7c9425c9 100644
--- a/README.md
+++ b/README.md
@@ -57,3 +57,13 @@ Use [Issues](https://github.com/microsoft/AzureMonitorCommunity/issues) to call
 
 ## Redistribution
 Upon redistribution of this repo, please be respectful of the readers and authors of this documentation, and include a link to the [original repo master branch](https://github.com/microsoft/AzureMonitorCommunity).
+
+## Restoring Deleted Built-in Queries in Microsoft Sentinel
+
+If you have accidentally deleted a built-in query in Microsoft Sentinel, you can restore it by following these steps:
+
+1. Navigate to the Content Hub in Microsoft Sentinel.
+2. Search for the solution pack that contains the deleted query.
+3. Reinstall the solution pack to restore the deleted query.
+
+By following these steps, you can restore the deleted built-in query 'Adding credentials to legitimate OAuth Applications' and any other queries that may have been accidentally deleted.