microsoft · Dodgeqtr · Jan 30, 2025
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,6 @@
+{
+  "tasks": {
+    "build": "echo \"No build process is defined for this repository.\"",
+    "test": "echo \"No tests available for this repository.\""
+  }
+}
diff --git a/...e Directory Logs/Queries/Security/Adding credentials to legitimate OAuth Applications.kql b/...e Directory Logs/Queries/Security/Adding credentials to legitimate OAuth Applications.kql
@@ -0,0 +1,5 @@
+SecurityEvent
+| where EventID == 4720 or EventID == 4732 or EventID == 4740
+| where TargetUserName has "OAuth"
+| summarize count() by TargetUserName, EventID, EventTime
+| project TargetUserName, EventID, EventTime
diff --git a/README.md b/README.md
@@ -57,3 +57,13 @@ Use [Issues](https://github.com/microsoft/AzureMonitorCommunity/issues) to call
 
 ## Redistribution
 Upon redistribution of this repo, please be respectful of the readers and authors of this documentation, and include a link to the [original repo master branch](https://github.com/microsoft/AzureMonitorCommunity).
+
+## Restoring Deleted Built-in Queries in Microsoft Sentinel
+
+If you have accidentally deleted a built-in query in Microsoft Sentinel, you can restore it by following these steps:
+
+1. Navigate to the Content Hub in Microsoft Sentinel.
+2. Search for the solution pack that contains the deleted query.
+3. Reinstall the solution pack to restore the deleted query.
+
+By following these steps, you can restore the deleted built-in query 'Adding credentials to legitimate OAuth Applications' and any other queries that may have been accidentally deleted.