Merge pull request #9231 from Azure/v-rbajaj/PIMElevationRequestRejected

Update PIMElevationRequestRejected.yaml
Azure · Oct 19, 2023 · 2748130 · 2748130
2 parents f2663f1 + 055add3
commit 2748130
Show file tree

Hide file tree

Showing 6 changed files with 8,954 additions and 9,370 deletions.
diff --git a/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml b/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml
@@ -21,7 +21,7 @@ tags:
   - AADSecOpsGuide
 query: |
   AuditLogs
-  | where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ "failure") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'
+  | where ActivityDisplayName =~'Add member to role request denied (PIM activation)'
   | mv-apply ResourceItem = TargetResources on 
     (
         where ResourceItem.type =~ "Role"
@@ -54,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: InitiatingIpAddress
-version: 1.0.6
+version: 1.0.7
 kind: Scheduled
diff --git a/Solutions/Azure Active Directory/Data/system_generated_metadata.json b/Solutions/Azure Active Directory/Data/system_generated_metadata.json
@@ -7,7 +7,7 @@
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true,
-  "Version": "3.0.4",
+  "Version": "3.0.5",
   "publisherId": "azuresentinel",
   "offerId": "azure-sentinel-solution-azureactivedirectory",
   "providers": [
@@ -41,5 +41,5 @@
     "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json"
   ],
   "Workbooks": "[\n  \"AzureActiveDirectoryAuditLogs.json\",\n  \"AzureActiveDirectorySignins.json\"\n]",
-  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\"\n]"
+  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\",\n  \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]"
 }
diff --git a/Solutions/Azure Active Directory/Package/3.0.5.zip b/Solutions/Azure Active Directory/Package/3.0.5.zip
diff --git a/Solutions/Azure Active Directory/Package/createUiDefinition.json b/Solutions/Azure Active Directory/Package/createUiDefinition.json
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -1034,4 +1010,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}