Merge pull request #9050 from Azure/v-rbajaj/azureactivedirectory

Issue Fix #8951 - Update PIMElevationRequestRejected.yaml
Azure · Sep 22, 2023 · f832c10 · f832c10
2 parents a223178 + f44cd5f
commit f832c10
Show file tree

Hide file tree

Showing 7 changed files with 9,050 additions and 9,434 deletions.
diff --git a/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml b/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml
@@ -21,8 +21,7 @@ tags:
   - AADSecOpsGuide
 query: |
   AuditLogs
-  | where ActivityDisplayName =~'Add member to role completed (PIM activation)'
-  | where Result =~ "failure"
+  | where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ "failure") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'
   | mv-apply ResourceItem = TargetResources on 
     (
         where ResourceItem.type =~ "Role"
@@ -55,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: InitiatingIpAddress
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled
diff --git a/Solutions/Azure Active Directory/Data/Solution_AAD.json b/Solutions/Azure Active Directory/Data/Solution_AAD.json
@@ -85,7 +85,7 @@
 		"Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json"
 	],
 	"BasePath": "C:\\GitHub\\Azure-Sentinel",
-	"Version": "3.0.2",
+	"Version": "3.0.3",
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"Is1PConnector": true

diff --git a/Solutions/Azure Active Directory/Data/system_generated_metadata.json b/Solutions/Azure Active Directory/Data/system_generated_metadata.json
@@ -0,0 +1,45 @@
+{
+  "Name": "Azure Active Directory",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">",
+  "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": true,
+  "Version": "3.0.3",
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-azureactivedirectory",
+  "providers": [
+    "Microsoft"
+  ],
+  "categories": {
+    "domains": [
+      "Identity",
+      "Security - Automation (SOAR)"
+    ]
+  },
+  "firstPublishDate": "2022-05-16",
+  "support": {
+    "tier": "Microsoft",
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "link": "https://support.microsoft.com/"
+  },
+  "Data Connectors": "[\n  \"template_AzureActiveDirectory.json\"\n]",
+  "Playbooks": [
+    "Playbooks/Block-AADUser/alert-trigger/azuredeploy.json",
+    "Playbooks/Block-AADUser/entity-trigger/azuredeploy.json",
+    "Playbooks/Block-AADUser/incident-trigger/azuredeploy.json",
+    "Playbooks/Prompt-User/alert-trigger/azuredeploy.json",
+    "Playbooks/Prompt-User/incident-trigger/azuredeploy.json",
+    "Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json",
+    "Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json",
+    "Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json",
+    "Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json",
+    "Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json",
+    "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json"
+  ],
+  "Workbooks": "[\n  \"AzureActiveDirectoryAuditLogs.json\",\n  \"AzureActiveDirectorySignins.json\"\n]",
+  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\"\n]"
+}
diff --git a/Solutions/Azure Active Directory/Package/3.0.3.zip b/Solutions/Azure Active Directory/Package/3.0.3.zip
diff --git a/Solutions/Azure Active Directory/Package/createUiDefinition.json b/Solutions/Azure Active Directory/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 59, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -104,39 +80,27 @@
           {
             "name": "workbook1",
             "type": "Microsoft.Common.Section",
-            "label": [
-              "Azure AD Audit logs",
-              "Azure AD Audit logs"
-            ],
+            "label": "Azure AD Audit logs",
             "elements": [
               {
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": [
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.",
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
-                  ]
+                  "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps."
                 }
               }
             ]
           },
           {
             "name": "workbook2",
             "type": "Microsoft.Common.Section",
-            "label": [
-              "Azure AD Sign-in logs",
-              "Azure AD Sign-in logs"
-            ],
+            "label": "Azure AD Sign-in logs",
             "elements": [
               {
                 "name": "workbook2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": [
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures.",
-                    "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures."
-                  ]
+                  "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and  IP addresses of your users, as well as failed activities and the errors that triggered the failures."
                 }
               }
             ]
@@ -878,7 +842,7 @@
                 "name": "analytic51-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account. This query has also been updated to include UEBA \nlogs IdentityInfo and BehaviorAnalytics for contextual information around the results."
+                  "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context."
                 }
               }
             ]