Merge branch 'v-rbajaj/azureactivedirectory' of https://github.com/Az…

…ure/Azure-Sentinel into v-rbajaj/azureactivedirectory

Solutions/Azure Active Directory/Data/system_generated_metadata.json

@@ -0,0 +1,45 @@
+{
+  "Name": "Azure Active Directory",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">",
+  "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": true,
+  "Version": "3.0.3",
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-azureactivedirectory",
+  "providers": [
+    "Microsoft"
+  ],
+  "categories": {
+    "domains": [
+      "Identity",
+      "Security - Automation (SOAR)"
+    ]
+  },
+  "firstPublishDate": "2022-05-16",
+  "support": {
+    "tier": "Microsoft",
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "link": "https://support.microsoft.com/"
+  },
+  "Data Connectors": "[\n  \"template_AzureActiveDirectory.json\"\n]",
+  "Playbooks": [
+    "Playbooks/Block-AADUser/alert-trigger/azuredeploy.json",
+    "Playbooks/Block-AADUser/entity-trigger/azuredeploy.json",
+    "Playbooks/Block-AADUser/incident-trigger/azuredeploy.json",
+    "Playbooks/Prompt-User/alert-trigger/azuredeploy.json",
+    "Playbooks/Prompt-User/incident-trigger/azuredeploy.json",
+    "Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json",
+    "Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json",
+    "Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json",
+    "Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json",
+    "Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json",
+    "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json"
+  ],
+  "Workbooks": "[\n  \"AzureActiveDirectoryAuditLogs.json\",\n  \"AzureActiveDirectorySignins.json\"\n]",
+  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\"\n]"
+}

Solutions/Azure Active Directory/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -104,39 +80,27 @@
           {
             "name": "workbook1",
             "type": "Microsoft.Common.Section",
-            "label": [
-              "Azure AD Audit logs",
-              "Azure AD Audit logs"
-            ],
+            "label": "Azure AD Audit logs",
             "elements": [
               {
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": [
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.",
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
-                  ]
+                  "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
                 }
               }
             ]
           },
           {
             "name": "workbook2",
             "type": "Microsoft.Common.Section",
-            "label": [
-              "Azure AD Sign-in logs",
-              "Azure AD Sign-in logs"
-            ],
+            "label": "Azure AD Sign-in logs",
             "elements": [
               {
                 "name": "workbook2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": [
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures.",
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures."
-                  ]
+                  "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures."
                 }
               }
             ]
@@ -878,7 +842,7 @@
                 "name": "analytic51-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account. This query has also been updated to include UEBA \nlogs IdentityInfo and BehaviorAnalytics for contextual information around the results."
+                  "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context."
                 }
               }
             ]