diff --git a/Solutions/Azure Active Directory/Data/Solution_AAD.json b/Solutions/Azure Active Directory/Data/Solution_AAD.json deleted file mode 100644 index 31dae9f8f86..00000000000 --- a/Solutions/Azure Active Directory/Data/Solution_AAD.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "Name": "Azure Active Directory", - "Author": "Microsoft - support@microsoft.com", - "Logo": "", - "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", - "Data Connectors": [ - "Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.json" - ], - "Workbooks": [ - "Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json", - "Solutions/Azure Active Directory/Workbooks/AzureActiveDirectorySignins.json" - ], - "Analytic Rules": [ - "Solutions/Azure Active Directory/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ADFSDomainTrustMods.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml", - "Solutions/Azure Active Directory/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml", - "Solutions/Azure Active Directory/Analytic Rules/BruteForceCloudPC.yaml", - "Solutions/Azure Active Directory/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml", - "Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml", - "Solutions/Azure Active Directory/Analytic Rules/CredentialAddedAfterAdminConsent.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml", - "Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml", - "Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ExplicitMFADeny.yaml", - "Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml", - "Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml", - "Solutions/Azure Active Directory/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MFARejectedbyUser.yaml", - "Solutions/Azure Active Directory/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NewAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_ADFSDomainTrustMods.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml", - "Solutions/Azure Active Directory/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_PIMElevationRequestRejected.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml", - "Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml", - "Solutions/Azure Active Directory/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml", - "Solutions/Azure Active Directory/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml", - "Solutions/Azure Active Directory/Analytic Rules/RareApplicationConsent.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml", - "Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", - "Solutions/Azure Active Directory/Analytic Rules/UserAssignedPrivilegedRole.yaml", - "Solutions/Azure Active Directory/Analytic Rules/NewOnmicrosoftDomainAdded.yaml", - "Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml" - ], - "Playbooks": [ - "Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json", - "Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" - ], - "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.6", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": true -} \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Data/system_generated_metadata.json b/Solutions/Azure Active Directory/Data/system_generated_metadata.json deleted file mode 100644 index a145fa873ef..00000000000 --- a/Solutions/Azure Active Directory/Data/system_generated_metadata.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "Name": "Azure Active Directory", - "Author": "Microsoft - support@microsoft.com", - "Logo": "", - "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", - "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": true, - "Version": "3.0.5", - "publisherId": "azuresentinel", - "offerId": "azure-sentinel-solution-azureactivedirectory", - "providers": [ - "Microsoft" - ], - "categories": { - "domains": [ - "Identity", - "Security - Automation (SOAR)" - ] - }, - "firstPublishDate": "2022-05-16", - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - }, - "Data Connectors": "[\n \"template_AzureActiveDirectory.json\"\n]", - "Playbooks": [ - "Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", - "Playbooks/Block-AADUser/entity-trigger/azuredeploy.json", - "Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", - "Playbooks/Prompt-User/alert-trigger/azuredeploy.json", - "Playbooks/Prompt-User/incident-trigger/azuredeploy.json", - "Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json", - "Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json", - "Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json", - "Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json", - "Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json", - "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json" - ], - "Workbooks": "[\n \"AzureActiveDirectoryAuditLogs.json\",\n \"AzureActiveDirectorySignins.json\"\n]", - "Analytic Rules": "[\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n \"ADFSDomainTrustMods.yaml\",\n \"ADFSSignInLogsPasswordSpray.yaml\",\n \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n \"AzureAADPowerShellAnomaly.yaml\",\n \"AzureADRoleManagementPermissionGrant.yaml\",\n \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n \"Brute Force Attack against GitHub Account.yaml\",\n \"BruteForceCloudPC.yaml\",\n \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n \"BypassCondAccessRule.yaml\",\n \"CredentialAddedAfterAdminConsent.yaml\",\n \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n \"DistribPassCrackAttempt.yaml\",\n \"ExplicitMFADeny.yaml\",\n \"ExchangeFullAccessGrantedToApp.yaml\",\n \"FailedLogonToAzurePortal.yaml\",\n \"FirstAppOrServicePrincipalCredential.yaml\",\n \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n \"MailPermissionsAddedToApplication.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_PwnAuth.yaml\",\n \"MFARejectedbyUser.yaml\",\n \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n \"NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_ADFSDomainTrustMods.yaml\",\n \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_PIMElevationRequestRejected.yaml\",\n \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n \"PIMElevationRequestRejected.yaml\",\n \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"RareApplicationConsent.yaml\",\n \"SeamlessSSOPasswordSpray.yaml\",\n \"Sign-in Burst from Multiple Locations.yaml\",\n \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n \"SigninBruteForce-AzurePortal.yaml\",\n \"SigninPasswordSpray.yaml\",\n \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n \"SuspiciousServicePrincipalcreationactivity.yaml\",\n \"UnusualGuestActivity.yaml\",\n \"UserAccounts-CABlockedSigninSpikes.yaml\",\n \"UseraddedtoPrivilgedGroups.yaml\",\n \"UserAssignedPrivilegedRole.yaml\",\n \"NewOnmicrosoftDomainAdded.yaml\",\n \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]" -} diff --git a/Solutions/Azure Active Directory/Analytic Rules/ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ADFSDomainTrustMods.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml similarity index 97% rename from Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml index 6086a7d37ca..188b6014a66 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml @@ -1,7 +1,7 @@ id: f80d951a-eddc-4171-b9d0-d616bb83efdc name: Admin promotion after Role Management Application Permission Grant description: | - 'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators). + 'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators). This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API. A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http' @@ -92,5 +92,5 @@ entityMappings: columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml similarity index 86% rename from Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml index 2c91cefa196..5e0c7d1b8f0 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml @@ -1,8 +1,7 @@ id: 7cb8f77d-c52f-4e46-b82f-3cf2e106224a name: Anomalous sign-in location by user account and authenticating application description: | - 'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active - Directory application and picks out the most anomalous change in location profile for a user within an + 'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. severity: Medium requiredDataConnectors: @@ -58,9 +57,8 @@ customDetails: alertDetailsOverride: alertDisplayNameFormat: Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}} alertDescriptionFormat: | - This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active - Directory application and picks out the most anomalous change in location profile for a user within an + This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} different locations. -version: 2.0.0 +version: 2.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml similarity index 73% rename from Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml index ddf46a4fd7f..ad4063872b3 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AzureAADPowerShellAnomaly.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml @@ -1,9 +1,9 @@ id: 50574fac-f8d1-4395-81c7-78a463ff0c52 -name: Azure Active Directory PowerShell accessing non-AAD resources +name: Microsoft Entra ID PowerShell accessing non-Entra ID resources description: | - 'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. - For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. - For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' + 'This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. + For capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. + For further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' severity: Low requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -53,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml similarity index 93% rename from Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml index 07dbe1e781c..c81080fffc3 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml @@ -1,9 +1,9 @@ id: 1ff56009-db01-4615-8211-d4fda21da02d -name: Azure AD Role Management Permission Grant +name: Microsoft Entra ID Role Management Permission Grant description: | 'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal. This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory. - An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges. + An adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges. Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http' severity: High @@ -64,5 +64,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AppDisplayName -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml similarity index 92% rename from Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml index 3eb26654b0e..c2929343a08 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml @@ -1,7 +1,7 @@ id: 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06 name: Brute Force Attack against GitHub Account description: | - 'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' + 'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -56,5 +56,5 @@ entityMappings: columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 2.0.0 +version: 2.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/BruteForceCloudPC.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/BruteForceCloudPC.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml similarity index 97% rename from Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml index 821980265aa..8f5e12e8aca 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/BypassCondAccessRule.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml @@ -1,7 +1,7 @@ id: 3af9285d-bb98-4a35-ad29-5ea39ba0c628 -name: Attempt to bypass conditional access rule in Azure AD +name: Attempt to bypass conditional access rule in Microsoft Entra ID description: | - 'Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory. + 'Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID. The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1). References: @@ -68,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddresses -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/CredentialAddedAfterAdminConsent.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/CredentialAddedAfterAdminConsent.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml similarity index 94% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml index d1bcee23ca3..2a14d11cc1a 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml @@ -1,7 +1,7 @@ id: 757e6a79-6d23-4ae6-9845-4dac170656b5 name: Cross-tenant Access Settings Organization Added description: | - 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.' + 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml similarity index 95% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml index dc99ed2bd13..7b9217a7ab2 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml @@ -1,7 +1,7 @@ id: eb8a9c1c-f532-4630-817c-1ecd8a60ed80 name: Cross-tenant Access Settings Organization Deleted description: | - 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.' + 'Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -47,5 +47,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml similarity index 94% rename from Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml index 4c0c66de22f..b327ebea13b 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/DistribPassCrackAttempt.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml @@ -1,7 +1,7 @@ id: bfb1c90f-8006-4325-98be-c7fffbc254d6 -name: Distributed Password cracking attempts in AzureAD +name: Distributed Password cracking attempts in Microsoft Entra ID description: | - 'Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs. + 'Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs. The query looks for unusually high number of failed password attempts coming from multiple locations for a user account. References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes 50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password. @@ -58,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/ExplicitMFADeny.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/ExplicitMFADeny.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml similarity index 97% rename from Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml index 3efbca1eddc..97da73e4ddb 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/FailedLogonToAzurePortal.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml @@ -1,7 +1,7 @@ id: 223db5c1-1bf8-47d8-8806-bed401b356a4 name: Failed login attempts to Azure Portal description: | - 'Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon + 'Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. The following are excluded due to success and non-failure results: References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes @@ -101,5 +101,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml similarity index 90% rename from Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml index bf0282434a0..703da2f29ba 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml @@ -1,7 +1,7 @@ id: 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 -name: Guest accounts added in AAD Groups other than the ones specified +name: Guest accounts added in Entra ID Groups other than the ones specified description: | - 'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.' + 'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.' severity: High requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -63,5 +63,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatedByIPAdress -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/MFARejectedbyUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MFARejectedbyUser.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_ADFSDomainTrustMods.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_PIMElevationRequestRejected.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_PIMElevationRequestRejected.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml similarity index 92% rename from Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml index 1e6952e7d4c..2671c126c15 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml @@ -1,9 +1,9 @@ id: 70fc7201-f28e-4ba7-b9ea-c04b96701f13 -name: NRT User added to Azure Active Directory Privileged Groups +name: NRT User added to Microsoft Entra ID Privileged Groups description: | 'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. - For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' + For Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' severity: Medium status: Available requiredDataConnectors: @@ -67,5 +67,5 @@ entityMappings: columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.3 +version: 1.0.4 kind: NRT diff --git a/Solutions/Azure Active Directory/Analytic Rules/NewAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NewAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/NewOnmicrosoftDomainAdded.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/NewOnmicrosoftDomainAdded.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/RareApplicationConsent.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/RareApplicationConsent.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml similarity index 80% rename from Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml index 01ade7dacd1..c2dcf7bea99 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SeamlessSSOPasswordSpray.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml @@ -1,8 +1,8 @@ id: fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba -name: Password spray attack against Azure AD Seamless SSO +name: Password spray attack against Microsoft Entra ID Seamless SSO description: | - 'This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. - Azure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.' + 'This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated. + Microsoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -48,5 +48,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml similarity index 89% rename from Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml index b71215197e6..686608a4dff 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml @@ -1,8 +1,8 @@ id: d3980830-dd9d-40a5-911f-76b44dfdce16 name: GitHub Signin Burst from Multiple Locations description: | - 'This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO). - This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ' + 'This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO). + This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -41,5 +41,5 @@ entityMappings: columnName: Name - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml similarity index 95% rename from Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml index c073071483a..5c1c0d5738a 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SigninPasswordSpray.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml @@ -1,7 +1,7 @@ id: 48607a29-a26a-4abf-8078-a06dbdd174a4 -name: Password spray attack against Azure AD application +name: Password spray attack against Microsoft Entra ID application description: | - 'Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same + 'Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included. This can be an indicator that an attack was successful. @@ -84,5 +84,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml similarity index 91% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml index 0258af0edda..5e4481a612e 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml @@ -1,7 +1,7 @@ id: 3a3c6835-0086-40ca-b033-a93bf26d878f -name: Suspicious AAD Joined Device Update +name: Suspicious Entra ID Joined Device Update description: | - 'This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance. + 'This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance. This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf' severity: Medium @@ -73,9 +73,9 @@ entityMappings: alertDetailsOverride: alertDisplayNameFormat: Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed alertDescriptionFormat: | - This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance. + This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance. In this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed. This could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device. Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml similarity index 95% rename from Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml index f209c3e72f0..74a81622612 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/UnusualGuestActivity.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml @@ -1,7 +1,7 @@ id: acc4c247-aaf7-494b-b5da-17f18863878a -name: External guest invitation followed by Azure AD PowerShell signin +name: External guest invitation followed by Microsoft Entra ID PowerShell signin description: | - 'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests + 'By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' severity: Medium @@ -88,5 +88,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 1.0.7 +version: 1.0.8 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UserAssignedNewPrivilegedRole.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/UserAssignedNewPrivilegedRole.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UserAssignedPrivilegedRole.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/UserAssignedPrivilegedRole.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml diff --git a/Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml similarity index 93% rename from Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml index 199d3dd23ca..1616f79505d 100644 --- a/Solutions/Azure Active Directory/Analytic Rules/UseraddedtoPrivilgedGroups.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml @@ -1,9 +1,9 @@ id: 4d94d4a9-dc96-410a-8dea-4d4d4584188b -name: User added to Azure Active Directory Privileged Groups +name: User added to Microsoft Entra ID Privileged Groups description: | 'This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. - For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' + For Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -71,5 +71,5 @@ entityMappings: columnName: TargetName - identifier: UPNSuffix columnName: TargetUPNSuffix -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Azure Active Directory/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml similarity index 100% rename from Solutions/Azure Active Directory/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml diff --git a/Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.json b/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON similarity index 91% rename from Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.json rename to Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON index 2121bd3568d..d0a6f2c04bf 100644 --- a/Solutions/Azure Active Directory/Data Connectors/template_AzureActiveDirectory.json +++ b/Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.JSON @@ -1,12 +1,12 @@ { "id": "AzureActiveDirectory", - "title": "Azure Active Directory", + "title": "Microsoft Entra ID", "publisher": "Microsoft", "logo": { "type": 3, "options": null }, - "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "graphQueries": [ { "metricName": "Total data received", @@ -184,8 +184,8 @@ }, "instructionSteps": [ { - "title": "Connect Azure Active Directory logs to Microsoft Sentinel", - "description": "Select Azure Active Directory log types:", + "title": "Connect Microsoft Entra ID logs to Microsoft Sentinel", + "description": "Select Microsoft Entra ID log types:", "instructions": [ { "parameters": { @@ -194,7 +194,7 @@ { "title": "Sign-In Logs", "name": "SignInLogs", - "infoBoxHtmlTemplate": "In order to export Sign-in data, your organization needs Azure AD P1 or P2 license. If you don't have a P1 or P2, start a free trial." + "infoBoxHtmlTemplate": "In order to export Sign-in data, your organization needs Microsoft Entra ID P1 or P2 license. If you don't have a P1 or P2, start a free trial." }, { "title": "Audit Logs", diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json new file mode 100644 index 00000000000..01dd4303aa8 --- /dev/null +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -0,0 +1,95 @@ +{ + "Name": "Microsoft Entra ID", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", + "Data Connectors": [ + "Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.json" + ], + "Workbooks": [ + "Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json", + "Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json" + ], + "Analytic Rules": [ + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml" + ], + "Playbooks": [ + "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json", + "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel", + "Version": "3.0.7", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": true +} \ No newline at end of file diff --git a/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json new file mode 100644 index 00000000000..8c562a0bc4a --- /dev/null +++ b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json @@ -0,0 +1,45 @@ +{ + "Name": "Microsoft Entra ID", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.", + "BasePath": "C:\\GitHub\\Azure-Sentinel", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": true, + "Version": "3.0.7", + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-azureactivedirectory", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Identity", + "Security - Automation (SOAR)" + ] + }, + "firstPublishDate": "2022-05-16", + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + }, + "Data Connectors": "[\n \"template_AzureActiveDirectory.json\"\n]", + "Playbooks": [ + "Playbooks/Block-AADUser/alert-trigger/azuredeploy.json", + "Playbooks/Block-AADUser/entity-trigger/azuredeploy.json", + "Playbooks/Block-AADUser/incident-trigger/azuredeploy.json", + "Playbooks/Prompt-User/alert-trigger/azuredeploy.json", + "Playbooks/Prompt-User/incident-trigger/azuredeploy.json", + "Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json", + "Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json", + "Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json", + "Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json", + "Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json", + "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json" + ], + "Workbooks": "[\n \"AzureActiveDirectoryAuditLogs.json\",\n \"AzureActiveDirectorySignins.json\"\n]", + "Analytic Rules": "[\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n \"ADFSDomainTrustMods.yaml\",\n \"ADFSSignInLogsPasswordSpray.yaml\",\n \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n \"AzureAADPowerShellAnomaly.yaml\",\n \"AzureADRoleManagementPermissionGrant.yaml\",\n \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n \"Brute Force Attack against GitHub Account.yaml\",\n \"BruteForceCloudPC.yaml\",\n \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n \"BypassCondAccessRule.yaml\",\n \"CredentialAddedAfterAdminConsent.yaml\",\n \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n \"DistribPassCrackAttempt.yaml\",\n \"ExplicitMFADeny.yaml\",\n \"ExchangeFullAccessGrantedToApp.yaml\",\n \"FailedLogonToAzurePortal.yaml\",\n \"FirstAppOrServicePrincipalCredential.yaml\",\n \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n \"MailPermissionsAddedToApplication.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n \"MaliciousOAuthApp_PwnAuth.yaml\",\n \"MFARejectedbyUser.yaml\",\n \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n \"NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_ADFSDomainTrustMods.yaml\",\n \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n \"NRT_PIMElevationRequestRejected.yaml\",\n \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n \"PIMElevationRequestRejected.yaml\",\n \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n \"RareApplicationConsent.yaml\",\n \"SeamlessSSOPasswordSpray.yaml\",\n \"Sign-in Burst from Multiple Locations.yaml\",\n \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n \"SigninBruteForce-AzurePortal.yaml\",\n \"SigninPasswordSpray.yaml\",\n \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n \"SuspiciousServicePrincipalcreationactivity.yaml\",\n \"UnusualGuestActivity.yaml\",\n \"UserAccounts-CABlockedSigninSpikes.yaml\",\n \"UseraddedtoPrivilgedGroups.yaml\",\n \"UserAssignedPrivilegedRole.yaml\",\n \"NewOnmicrosoftDomainAdded.yaml\",\n \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]" +} diff --git a/Solutions/Azure Active Directory/Package/2.0.0.zip b/Solutions/Microsoft Entra ID/Package/2.0.0.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.0.zip rename to Solutions/Microsoft Entra ID/Package/2.0.0.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.1.zip b/Solutions/Microsoft Entra ID/Package/2.0.1.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.1.zip rename to Solutions/Microsoft Entra ID/Package/2.0.1.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.10.zip b/Solutions/Microsoft Entra ID/Package/2.0.10.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.10.zip rename to Solutions/Microsoft Entra ID/Package/2.0.10.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.11.zip b/Solutions/Microsoft Entra ID/Package/2.0.11.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.11.zip rename to Solutions/Microsoft Entra ID/Package/2.0.11.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.12.zip b/Solutions/Microsoft Entra ID/Package/2.0.12.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.12.zip rename to Solutions/Microsoft Entra ID/Package/2.0.12.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.13.zip b/Solutions/Microsoft Entra ID/Package/2.0.13.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.13.zip rename to Solutions/Microsoft Entra ID/Package/2.0.13.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.3.zip b/Solutions/Microsoft Entra ID/Package/2.0.3.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.3.zip rename to Solutions/Microsoft Entra ID/Package/2.0.3.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.4.zip b/Solutions/Microsoft Entra ID/Package/2.0.4.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.4.zip rename to Solutions/Microsoft Entra ID/Package/2.0.4.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.5.zip b/Solutions/Microsoft Entra ID/Package/2.0.5.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.5.zip rename to Solutions/Microsoft Entra ID/Package/2.0.5.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.6.zip b/Solutions/Microsoft Entra ID/Package/2.0.6.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.6.zip rename to Solutions/Microsoft Entra ID/Package/2.0.6.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.7.zip b/Solutions/Microsoft Entra ID/Package/2.0.7.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.7.zip rename to Solutions/Microsoft Entra ID/Package/2.0.7.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.8.zip b/Solutions/Microsoft Entra ID/Package/2.0.8.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.8.zip rename to Solutions/Microsoft Entra ID/Package/2.0.8.zip diff --git a/Solutions/Azure Active Directory/Package/2.0.9.zip b/Solutions/Microsoft Entra ID/Package/2.0.9.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/2.0.9.zip rename to Solutions/Microsoft Entra ID/Package/2.0.9.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.0.zip b/Solutions/Microsoft Entra ID/Package/3.0.0.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.0.zip rename to Solutions/Microsoft Entra ID/Package/3.0.0.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.1.zip b/Solutions/Microsoft Entra ID/Package/3.0.1.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.1.zip rename to Solutions/Microsoft Entra ID/Package/3.0.1.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.2.zip b/Solutions/Microsoft Entra ID/Package/3.0.2.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.2.zip rename to Solutions/Microsoft Entra ID/Package/3.0.2.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.3.zip b/Solutions/Microsoft Entra ID/Package/3.0.3.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.3.zip rename to Solutions/Microsoft Entra ID/Package/3.0.3.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.4.zip b/Solutions/Microsoft Entra ID/Package/3.0.4.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.4.zip rename to Solutions/Microsoft Entra ID/Package/3.0.4.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.5.zip b/Solutions/Microsoft Entra ID/Package/3.0.5.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.5.zip rename to Solutions/Microsoft Entra ID/Package/3.0.5.zip diff --git a/Solutions/Azure Active Directory/Package/3.0.6.zip b/Solutions/Microsoft Entra ID/Package/3.0.6.zip similarity index 100% rename from Solutions/Azure Active Directory/Package/3.0.6.zip rename to Solutions/Microsoft Entra ID/Package/3.0.6.zip diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip new file mode 100644 index 00000000000..0757f343f7a Binary files /dev/null and b/Solutions/Microsoft Entra ID/Package/3.0.7.zip differ diff --git a/Solutions/Azure Active Directory/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json similarity index 81% rename from Solutions/Azure Active Directory/Package/createUiDefinition.json rename to Solutions/Microsoft Entra ID/Package/createUiDefinition.json index 71aad442db2..b77ca0647f5 100644 --- a/Solutions/Azure Active Directory/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 60, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Microsoft Entra ID. You can get Microsoft Entra ID custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -104,13 +104,13 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": "Azure AD Audit logs", + "label": "Microsoft Entra ID Audit logs", "elements": [ { "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + "text": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." } } ] @@ -118,13 +118,13 @@ { "name": "workbook2", "type": "Microsoft.Common.Section", - "label": "Azure AD Sign-in logs", + "label": "Microsoft Entra ID Sign-in logs", "elements": [ { "name": "workbook2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + "text": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." } } ] @@ -222,7 +222,7 @@ "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" + "text": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" } } ] @@ -236,7 +236,7 @@ "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application" + "text": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application" } } ] @@ -258,13 +258,13 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "Azure Active Directory PowerShell accessing non-AAD resources", + "label": "Microsoft Entra ID PowerShell accessing non-Entra ID resources", "elements": [ { "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins." + "text": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins." } } ] @@ -272,13 +272,13 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "Azure AD Role Management Permission Grant", + "label": "Microsoft Entra ID Role Management Permission Grant", "elements": [ { "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" + "text": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http" } } ] @@ -306,7 +306,7 @@ "name": "analytic11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users." + "text": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users." } } ] @@ -342,13 +342,13 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "Attempt to bypass conditional access rule in Azure AD", + "label": "Attempt to bypass conditional access rule in Microsoft Entra ID", "elements": [ { "name": "analytic14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown" + "text": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown" } } ] @@ -376,7 +376,7 @@ "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings." } } ] @@ -390,7 +390,7 @@ "name": "analytic17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings." + "text": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings." } } ] @@ -468,13 +468,13 @@ { "name": "analytic23", "type": "Microsoft.Common.Section", - "label": "Distributed Password cracking attempts in AzureAD", + "label": "Distributed Password cracking attempts in Microsoft Entra ID", "elements": [ { "name": "analytic23-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password." + "text": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password." } } ] @@ -516,7 +516,7 @@ "name": "analytic26-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in." + "text": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in." } } ] @@ -538,13 +538,13 @@ { "name": "analytic28", "type": "Microsoft.Common.Section", - "label": "Guest accounts added in AAD Groups other than the ones specified", + "label": "Guest accounts added in Entra ID Groups other than the ones specified", "elements": [ { "name": "analytic28-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data." + "text": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data." } } ] @@ -608,13 +608,13 @@ { "name": "analytic33", "type": "Microsoft.Common.Section", - "label": "Multiple admin membership removals from newly created admin.", + "label": "MFA Spamming followed by Successful login", "elements": [ { "name": "analytic33-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly." + "text": "Identifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window,\nDefault Failure count is 10 and 1 successful login with default Time Window is 5 minutes." } } ] @@ -622,13 +622,13 @@ { "name": "analytic34", "type": "Microsoft.Common.Section", - "label": "New access credential added to Application or Service Principal", + "label": "Multiple admin membership removals from newly created admin.", "elements": [ { "name": "analytic34-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly." } } ] @@ -636,13 +636,13 @@ { "name": "analytic35", "type": "Microsoft.Common.Section", - "label": "NRT Modified domain federation trust settings", + "label": "New onmicrosoft domain added to tenant", "elements": [ { "name": "analytic35-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose." } } ] @@ -650,13 +650,13 @@ { "name": "analytic36", "type": "Microsoft.Common.Section", - "label": "NRT Authentication Methods Changed for VIP Users", + "label": "New access credential added to Application or Service Principal", "elements": [ { "name": "analytic36-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access." + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -664,13 +664,13 @@ { "name": "analytic37", "type": "Microsoft.Common.Section", - "label": "NRT First access credential added to Application or Service Principal where no credential was present", + "label": "NRT Modified domain federation trust settings", "elements": [ { "name": "analytic37-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -678,13 +678,13 @@ { "name": "analytic38", "type": "Microsoft.Common.Section", - "label": "NRT New access credential added to Application or Service Principal", + "label": "NRT Authentication Methods Changed for VIP Users", "elements": [ { "name": "analytic38-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access." } } ] @@ -692,13 +692,13 @@ { "name": "analytic39", "type": "Microsoft.Common.Section", - "label": "NRT PIM Elevation Request Rejected", + "label": "NRT First access credential added to Application or Service Principal where no credential was present", "elements": [ { "name": "analytic39-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -706,13 +706,13 @@ { "name": "analytic40", "type": "Microsoft.Common.Section", - "label": "NRT Privileged Role Assigned Outside PIM", + "label": "NRT New access credential added to Application or Service Principal", "elements": [ { "name": "analytic40-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -720,13 +720,13 @@ { "name": "analytic41", "type": "Microsoft.Common.Section", - "label": "NRT User added to Azure Active Directory Privileged Groups", + "label": "NRT PIM Elevation Request Rejected", "elements": [ { "name": "analytic41-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -734,13 +734,13 @@ { "name": "analytic42", "type": "Microsoft.Common.Section", - "label": "PIM Elevation Request Rejected", + "label": "NRT Privileged Role Assigned Outside PIM", "elements": [ { "name": "analytic42-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" + "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -748,13 +748,13 @@ { "name": "analytic43", "type": "Microsoft.Common.Section", - "label": "Privileged Accounts - Sign in Failure Spikes", + "label": "NRT User added to Microsoft Entra ID Privileged Groups", "elements": [ { "name": "analytic43-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor" + "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" } } ] @@ -762,13 +762,13 @@ { "name": "analytic44", "type": "Microsoft.Common.Section", - "label": "Privileged Role Assigned Outside PIM", + "label": "PIM Elevation Request Rejected", "elements": [ { "name": "analytic44-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + "text": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management" } } ] @@ -776,13 +776,13 @@ { "name": "analytic45", "type": "Microsoft.Common.Section", - "label": "Rare application consent", + "label": "Privileged Accounts - Sign in Failure Spikes", "elements": [ { "name": "analytic45-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor" } } ] @@ -790,13 +790,13 @@ { "name": "analytic46", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Azure AD Seamless SSO", + "label": "Privileged Role Assigned Outside PIM", "elements": [ { "name": "analytic46-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts." + "text": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" } } ] @@ -804,13 +804,13 @@ { "name": "analytic47", "type": "Microsoft.Common.Section", - "label": "GitHub Signin Burst from Multiple Locations", + "label": "Rare application consent", "elements": [ { "name": "analytic47-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. " + "text": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -818,13 +818,13 @@ { "name": "analytic48", "type": "Microsoft.Common.Section", - "label": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "label": "Password spray attack against Microsoft Entra ID Seamless SSO", "elements": [ { "name": "analytic48-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts." } } ] @@ -832,13 +832,13 @@ { "name": "analytic49", "type": "Microsoft.Common.Section", - "label": "Brute force attack against Azure Portal", + "label": "GitHub Signin Burst from Multiple Locations", "elements": [ { "name": "analytic49-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + "text": "This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. " } } ] @@ -846,13 +846,13 @@ { "name": "analytic50", "type": "Microsoft.Common.Section", - "label": "Password spray attack against Azure AD application", + "label": "Sign-ins from IPs that attempt sign-ins to disabled accounts", "elements": [ { "name": "analytic50-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." + "text": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -860,13 +860,13 @@ { "name": "analytic51", "type": "Microsoft.Common.Section", - "label": "Successful logon from IP and failure from a different IP", + "label": "Brute force attack against Azure Portal", "elements": [ { "name": "analytic51-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context." + "text": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." } } ] @@ -874,13 +874,13 @@ { "name": "analytic52", "type": "Microsoft.Common.Section", - "label": "Suspicious AAD Joined Device Update", + "label": "Password spray attack against Microsoft Entra ID application", "elements": [ { "name": "analytic52-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf" + "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes." } } ] @@ -888,13 +888,13 @@ { "name": "analytic53", "type": "Microsoft.Common.Section", - "label": "Suspicious application consent for offline access", + "label": "Successful logon from IP and failure from a different IP", "elements": [ { "name": "analytic53-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." + "text": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context." } } ] @@ -902,13 +902,13 @@ { "name": "analytic54", "type": "Microsoft.Common.Section", - "label": "Suspicious Service Principal creation activity", + "label": "Suspicious Entra ID Joined Device Update", "elements": [ { "name": "analytic54-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)" + "text": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf" } } ] @@ -916,13 +916,13 @@ { "name": "analytic55", "type": "Microsoft.Common.Section", - "label": "External guest invitation followed by Azure AD PowerShell signin", + "label": "Suspicious application consent for offline access", "elements": [ { "name": "analytic55-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/" + "text": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities." } } ] @@ -930,13 +930,13 @@ { "name": "analytic56", "type": "Microsoft.Common.Section", - "label": "User Accounts - Sign in Failure due to CA Spikes", + "label": "Suspicious Service Principal creation activity", "elements": [ { "name": "analytic56-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." + "text": "This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)" } } ] @@ -944,13 +944,13 @@ { "name": "analytic57", "type": "Microsoft.Common.Section", - "label": "User added to Azure Active Directory Privileged Groups", + "label": "Suspicious Sign In Followed by MFA Modification", "elements": [ { "name": "analytic57-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + "text": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user." } } ] @@ -958,13 +958,13 @@ { "name": "analytic58", "type": "Microsoft.Common.Section", - "label": "New User Assigned to Privileged Role", + "label": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "elements": [ { "name": "analytic58-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate." + "text": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/" } } ] @@ -972,13 +972,13 @@ { "name": "analytic59", "type": "Microsoft.Common.Section", - "label": "New onmicrosoft domain added to tenant", + "label": "User Accounts - Sign in Failure due to CA Spikes", "elements": [ { "name": "analytic59-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose." + "text": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results." } } ] @@ -986,13 +986,41 @@ { "name": "analytic60", "type": "Microsoft.Common.Section", - "label": "Suspicious Sign In Followed by MFA Modification", + "label": "User added to Microsoft Entra ID Privileged Groups", "elements": [ { "name": "analytic60-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user." + "text": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" + } + } + ] + }, + { + "name": "analytic61", + "type": "Microsoft.Common.Section", + "label": "User Assigned New Privileged Role", + "elements": [ + { + "name": "analytic61-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies when a new eligible or active privileged role is assigned to a user. Does not alert on PIM activations. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1" + } + } + ] + }, + { + "name": "analytic62", + "type": "Microsoft.Common.Section", + "label": "New User Assigned to Privileged Role", + "elements": [ + { + "name": "analytic62-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate." } } ] diff --git a/Solutions/Azure Active Directory/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json similarity index 89% rename from Solutions/Azure Active Directory/Package/mainTemplate.json rename to Solutions/Microsoft Entra ID/Package/mainTemplate.json index 053b82d2a10..bcc866485cf 100644 --- a/Solutions/Azure Active Directory/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "author": "Microsoft - support@microsoft.com", - "comments": "Solution template for Azure Active Directory" + "comments": "Solution template for Microsoft Entra ID" }, "parameters": { "location": { @@ -30,7 +30,7 @@ }, "workbook1-name": { "type": "string", - "defaultValue": "Azure AD Audit logs", + "defaultValue": "Microsoft Entra ID Audit logs", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -38,7 +38,7 @@ }, "workbook2-name": { "type": "string", - "defaultValue": "Azure AD Sign-in logs", + "defaultValue": "Microsoft Entra ID Sign-in logs", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -48,8 +48,8 @@ "variables": { "email": "support@microsoft.com", "_email": "[variables('email')]", - "_solutionName": "Azure Active Directory", - "_solutionVersion": "3.0.6", + "_solutionName": "Microsoft Entra ID", + "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AzureActiveDirectory", @@ -98,13 +98,13 @@ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.3", + "analyticRuleVersion5": "1.0.4", "analyticRulecontentId5": "f80d951a-eddc-4171-b9d0-d616bb83efdc", "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "2.0.0", + "analyticRuleVersion6": "2.0.1", "analyticRulecontentId6": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a", "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", @@ -116,13 +116,13 @@ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]", "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]", - "analyticRuleVersion8": "1.0.2", + "analyticRuleVersion8": "1.0.3", "analyticRulecontentId8": "50574fac-f8d1-4395-81c7-78a463ff0c52", "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]", "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]", - "analyticRuleVersion9": "1.0.4", + "analyticRuleVersion9": "1.0.5", "analyticRulecontentId9": "1ff56009-db01-4615-8211-d4fda21da02d", "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", @@ -134,7 +134,7 @@ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]", "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]", - "analyticRuleVersion11": "2.0.0", + "analyticRuleVersion11": "2.0.1", "analyticRulecontentId11": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06", "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]", "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]", @@ -152,7 +152,7 @@ "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]", "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]", "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]", - "analyticRuleVersion14": "1.0.4", + "analyticRuleVersion14": "1.0.5", "analyticRulecontentId14": "3af9285d-bb98-4a35-ad29-5ea39ba0c628", "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]", "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]", @@ -164,13 +164,13 @@ "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]", "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]", "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]", - "analyticRuleVersion16": "1.0.1", + "analyticRuleVersion16": "1.0.2", "analyticRulecontentId16": "757e6a79-6d23-4ae6-9845-4dac170656b5", "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]", "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]", "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]", "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]", - "analyticRuleVersion17": "1.0.1", + "analyticRuleVersion17": "1.0.2", "analyticRulecontentId17": "eb8a9c1c-f532-4630-817c-1ecd8a60ed80", "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]", "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]", @@ -206,7 +206,7 @@ "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId22'))]", "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId22'))))]", "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId22'),'-', variables('analyticRuleVersion22'))))]", - "analyticRuleVersion23": "1.0.2", + "analyticRuleVersion23": "1.0.3", "analyticRulecontentId23": "bfb1c90f-8006-4325-98be-c7fffbc254d6", "_analyticRulecontentId23": "[variables('analyticRulecontentId23')]", "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId23'))]", @@ -224,7 +224,7 @@ "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId25'))]", "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId25'))))]", "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId25'),'-', variables('analyticRuleVersion25'))))]", - "analyticRuleVersion26": "1.0.4", + "analyticRuleVersion26": "1.0.5", "analyticRulecontentId26": "223db5c1-1bf8-47d8-8806-bed401b356a4", "_analyticRulecontentId26": "[variables('analyticRulecontentId26')]", "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId26'))]", @@ -236,7 +236,7 @@ "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId27'))]", "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId27'))))]", "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId27'),'-', variables('analyticRuleVersion27'))))]", - "analyticRuleVersion28": "1.0.2", + "analyticRuleVersion28": "1.0.4", "analyticRulecontentId28": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53", "_analyticRulecontentId28": "[variables('analyticRulecontentId28')]", "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId28'))]", @@ -266,174 +266,186 @@ "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId32'))]", "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId32'))))]", "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId32'),'-', variables('analyticRuleVersion32'))))]", - "analyticRuleVersion33": "1.0.1", - "analyticRulecontentId33": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", + "analyticRuleVersion33": "1.0.2", + "analyticRulecontentId33": "a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b", "_analyticRulecontentId33": "[variables('analyticRulecontentId33')]", "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId33'))]", "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId33'))))]", "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId33'),'-', variables('analyticRuleVersion33'))))]", - "analyticRuleVersion34": "1.1.1", - "analyticRulecontentId34": "79566f41-df67-4e10-a703-c38a6213afd8", + "analyticRuleVersion34": "1.0.1", + "analyticRulecontentId34": "cda5928c-2c1e-4575-9dfa-07568bc27a4f", "_analyticRulecontentId34": "[variables('analyticRulecontentId34')]", "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId34'))]", "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId34'))))]", "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId34'),'-', variables('analyticRuleVersion34'))))]", - "analyticRuleVersion35": "1.0.1", - "analyticRulecontentId35": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", + "analyticRuleVersion35": "1.0.0", + "analyticRulecontentId35": "4f42b94f-b210-42d1-a023-7fa1c51d969f", "_analyticRulecontentId35": "[variables('analyticRulecontentId35')]", "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId35'))]", "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId35'))))]", "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId35'),'-', variables('analyticRuleVersion35'))))]", - "analyticRuleVersion36": "1.0.2", - "analyticRulecontentId36": "29e99017-e28d-47be-8b9a-c8c711f8a903", + "analyticRuleVersion36": "1.1.1", + "analyticRulecontentId36": "79566f41-df67-4e10-a703-c38a6213afd8", "_analyticRulecontentId36": "[variables('analyticRulecontentId36')]", "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId36'))]", "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId36'))))]", "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId36'),'-', variables('analyticRuleVersion36'))))]", - "analyticRuleVersion37": "1.0.4", - "analyticRulecontentId37": "b6988c32-4f3b-4a45-8313-b46b33061a74", + "analyticRuleVersion37": "1.0.1", + "analyticRulecontentId37": "8540c842-5bbc-4a24-9fb2-a836c0e55a51", "_analyticRulecontentId37": "[variables('analyticRulecontentId37')]", "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId37'))]", "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId37'))))]", "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId37'),'-', variables('analyticRuleVersion37'))))]", "analyticRuleVersion38": "1.0.2", - "analyticRulecontentId38": "e42e889a-caaf-4dbb-aec6-371b37d64298", + "analyticRulecontentId38": "29e99017-e28d-47be-8b9a-c8c711f8a903", "_analyticRulecontentId38": "[variables('analyticRulecontentId38')]", "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId38'))]", "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId38'))))]", "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId38'),'-', variables('analyticRuleVersion38'))))]", - "analyticRuleVersion39": "1.0.1", - "analyticRulecontentId39": "5db427b2-f406-4274-b413-e9fcb29412f8", + "analyticRuleVersion39": "1.0.4", + "analyticRulecontentId39": "b6988c32-4f3b-4a45-8313-b46b33061a74", "_analyticRulecontentId39": "[variables('analyticRulecontentId39')]", "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId39'))]", "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId39'))))]", "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId39'),'-', variables('analyticRuleVersion39'))))]", - "analyticRuleVersion40": "1.0.1", - "analyticRulecontentId40": "14f6da04-2f96-44ee-9210-9ccc1be6401e", + "analyticRuleVersion40": "1.0.2", + "analyticRulecontentId40": "e42e889a-caaf-4dbb-aec6-371b37d64298", "_analyticRulecontentId40": "[variables('analyticRulecontentId40')]", "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId40'))]", "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId40'))))]", "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId40'),'-', variables('analyticRuleVersion40'))))]", - "analyticRuleVersion41": "1.0.3", - "analyticRulecontentId41": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", + "analyticRuleVersion41": "1.0.1", + "analyticRulecontentId41": "5db427b2-f406-4274-b413-e9fcb29412f8", "_analyticRulecontentId41": "[variables('analyticRulecontentId41')]", "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId41'))]", "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId41'))))]", "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId41'),'-', variables('analyticRuleVersion41'))))]", - "analyticRuleVersion42": "1.0.7", - "analyticRulecontentId42": "7d7e20f8-3384-4b71-811c-f5e950e8306c", + "analyticRuleVersion42": "1.0.1", + "analyticRulecontentId42": "14f6da04-2f96-44ee-9210-9ccc1be6401e", "_analyticRulecontentId42": "[variables('analyticRulecontentId42')]", "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId42'))]", "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId42'))))]", "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId42'),'-', variables('analyticRuleVersion42'))))]", - "analyticRuleVersion43": "1.0.3", - "analyticRulecontentId43": "34c5aff9-a8c2-4601-9654-c7e46342d03b", + "analyticRuleVersion43": "1.0.4", + "analyticRulecontentId43": "70fc7201-f28e-4ba7-b9ea-c04b96701f13", "_analyticRulecontentId43": "[variables('analyticRulecontentId43')]", "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId43'))]", "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId43'))))]", "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId43'),'-', variables('analyticRuleVersion43'))))]", - "analyticRuleVersion44": "1.0.4", - "analyticRulecontentId44": "269435e3-1db8-4423-9dfc-9bf59997da1c", + "analyticRuleVersion44": "1.0.7", + "analyticRulecontentId44": "7d7e20f8-3384-4b71-811c-f5e950e8306c", "_analyticRulecontentId44": "[variables('analyticRulecontentId44')]", "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId44'))]", "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId44'))))]", "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId44'),'-', variables('analyticRuleVersion44'))))]", - "analyticRuleVersion45": "1.1.4", - "analyticRulecontentId45": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", + "analyticRuleVersion45": "1.0.3", + "analyticRulecontentId45": "34c5aff9-a8c2-4601-9654-c7e46342d03b", "_analyticRulecontentId45": "[variables('analyticRulecontentId45')]", "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId45'))]", "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId45'))))]", "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId45'),'-', variables('analyticRuleVersion45'))))]", - "analyticRuleVersion46": "1.0.2", - "analyticRulecontentId46": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", + "analyticRuleVersion46": "1.0.4", + "analyticRulecontentId46": "269435e3-1db8-4423-9dfc-9bf59997da1c", "_analyticRulecontentId46": "[variables('analyticRulecontentId46')]", "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId46'))]", "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId46'))))]", "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId46'),'-', variables('analyticRuleVersion46'))))]", - "analyticRuleVersion47": "1.0.1", - "analyticRulecontentId47": "d3980830-dd9d-40a5-911f-76b44dfdce16", + "analyticRuleVersion47": "1.1.4", + "analyticRulecontentId47": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee", "_analyticRulecontentId47": "[variables('analyticRulecontentId47')]", "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId47'))]", "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId47'))))]", "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId47'),'-', variables('analyticRuleVersion47'))))]", - "analyticRuleVersion48": "2.1.3", - "analyticRulecontentId48": "500c103a-0319-4d56-8e99-3cec8d860757", + "analyticRuleVersion48": "1.0.3", + "analyticRulecontentId48": "fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba", "_analyticRulecontentId48": "[variables('analyticRulecontentId48')]", "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId48'))]", "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId48'))))]", "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId48'),'-', variables('analyticRuleVersion48'))))]", - "analyticRuleVersion49": "2.1.3", - "analyticRulecontentId49": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", + "analyticRuleVersion49": "1.0.2", + "analyticRulecontentId49": "d3980830-dd9d-40a5-911f-76b44dfdce16", "_analyticRulecontentId49": "[variables('analyticRulecontentId49')]", "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId49'))]", "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId49'))))]", "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId49'),'-', variables('analyticRuleVersion49'))))]", - "analyticRuleVersion50": "1.0.4", - "analyticRulecontentId50": "48607a29-a26a-4abf-8078-a06dbdd174a4", + "analyticRuleVersion50": "2.1.3", + "analyticRulecontentId50": "500c103a-0319-4d56-8e99-3cec8d860757", "_analyticRulecontentId50": "[variables('analyticRulecontentId50')]", "analyticRuleId50": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId50'))]", "analyticRuleTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId50'))))]", "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId50'),'-', variables('analyticRuleVersion50'))))]", - "analyticRuleVersion51": "2.1.6", - "analyticRulecontentId51": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", + "analyticRuleVersion51": "2.1.3", + "analyticRulecontentId51": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", "_analyticRulecontentId51": "[variables('analyticRulecontentId51')]", "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId51'))]", "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId51'))))]", "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId51'),'-', variables('analyticRuleVersion51'))))]", - "analyticRuleVersion52": "1.0.1", - "analyticRulecontentId52": "3a3c6835-0086-40ca-b033-a93bf26d878f", + "analyticRuleVersion52": "1.0.5", + "analyticRulecontentId52": "48607a29-a26a-4abf-8078-a06dbdd174a4", "_analyticRulecontentId52": "[variables('analyticRulecontentId52')]", "analyticRuleId52": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId52'))]", "analyticRuleTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId52'))))]", "_analyticRulecontentProductId52": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId52'),'-', variables('analyticRuleVersion52'))))]", - "analyticRuleVersion53": "1.0.1", - "analyticRulecontentId53": "3533f74c-9207-4047-96e2-0eb9383be587", + "analyticRuleVersion53": "2.1.6", + "analyticRulecontentId53": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2", "_analyticRulecontentId53": "[variables('analyticRulecontentId53')]", "analyticRuleId53": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId53'))]", "analyticRuleTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId53'))))]", "_analyticRulecontentProductId53": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId53'),'-', variables('analyticRuleVersion53'))))]", "analyticRuleVersion54": "1.0.2", - "analyticRulecontentId54": "6852d9da-8015-4b95-8ecf-d9572ee0395d", + "analyticRulecontentId54": "3a3c6835-0086-40ca-b033-a93bf26d878f", "_analyticRulecontentId54": "[variables('analyticRulecontentId54')]", "analyticRuleId54": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId54'))]", "analyticRuleTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId54'))))]", "_analyticRulecontentProductId54": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId54'),'-', variables('analyticRuleVersion54'))))]", - "analyticRuleVersion55": "1.0.7", - "analyticRulecontentId55": "acc4c247-aaf7-494b-b5da-17f18863878a", + "analyticRuleVersion55": "1.0.1", + "analyticRulecontentId55": "3533f74c-9207-4047-96e2-0eb9383be587", "_analyticRulecontentId55": "[variables('analyticRulecontentId55')]", "analyticRuleId55": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId55'))]", "analyticRuleTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId55'))))]", "_analyticRulecontentProductId55": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId55'),'-', variables('analyticRuleVersion55'))))]", - "analyticRuleVersion56": "2.0.2", - "analyticRulecontentId56": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", + "analyticRuleVersion56": "1.0.2", + "analyticRulecontentId56": "6852d9da-8015-4b95-8ecf-d9572ee0395d", "_analyticRulecontentId56": "[variables('analyticRulecontentId56')]", "analyticRuleId56": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId56'))]", "analyticRuleTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId56'))))]", "_analyticRulecontentProductId56": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId56'),'-', variables('analyticRuleVersion56'))))]", - "analyticRuleVersion57": "1.0.4", - "analyticRulecontentId57": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", + "analyticRuleVersion57": "1.0.0", + "analyticRulecontentId57": "aec77100-25c5-4254-a20a-8027ed92c46c", "_analyticRulecontentId57": "[variables('analyticRulecontentId57')]", "analyticRuleId57": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId57'))]", "analyticRuleTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId57'))))]", "_analyticRulecontentProductId57": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId57'),'-', variables('analyticRuleVersion57'))))]", "analyticRuleVersion58": "1.0.8", - "analyticRulecontentId58": "050b9b3d-53d0-4364-a3da-1b678b8211ec", + "analyticRulecontentId58": "acc4c247-aaf7-494b-b5da-17f18863878a", "_analyticRulecontentId58": "[variables('analyticRulecontentId58')]", "analyticRuleId58": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId58'))]", "analyticRuleTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId58'))))]", "_analyticRulecontentProductId58": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId58'),'-', variables('analyticRuleVersion58'))))]", - "analyticRuleVersion59": "1.0.0", - "analyticRulecontentId59": "4f42b94f-b210-42d1-a023-7fa1c51d969f", + "analyticRuleVersion59": "2.0.2", + "analyticRulecontentId59": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c", "_analyticRulecontentId59": "[variables('analyticRulecontentId59')]", "analyticRuleId59": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId59'))]", "analyticRuleTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId59'))))]", "_analyticRulecontentProductId59": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId59'),'-', variables('analyticRuleVersion59'))))]", - "analyticRuleVersion60": "1.0.0", - "analyticRulecontentId60": "aec77100-25c5-4254-a20a-8027ed92c46c", + "analyticRuleVersion60": "1.0.5", + "analyticRulecontentId60": "4d94d4a9-dc96-410a-8dea-4d4d4584188b", "_analyticRulecontentId60": "[variables('analyticRulecontentId60')]", "analyticRuleId60": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId60'))]", "analyticRuleTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId60'))))]", "_analyticRulecontentProductId60": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId60'),'-', variables('analyticRuleVersion60'))))]", + "analyticRuleVersion61": "1.0.0", + "analyticRulecontentId61": "746ddb63-f51b-4563-b449-a8b13cf302ec", + "_analyticRulecontentId61": "[variables('analyticRulecontentId61')]", + "analyticRuleId61": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId61'))]", + "analyticRuleTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId61'))))]", + "_analyticRulecontentProductId61": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId61'),'-', variables('analyticRuleVersion61'))))]", + "analyticRuleVersion62": "1.0.8", + "analyticRulecontentId62": "050b9b3d-53d0-4364-a3da-1b678b8211ec", + "_analyticRulecontentId62": "[variables('analyticRulecontentId62')]", + "analyticRuleId62": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId62'))]", + "analyticRuleTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId62'))))]", + "_analyticRulecontentProductId62": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId62'),'-', variables('analyticRuleVersion62'))))]", "Block-AADUser-alert-trigger": "Block-AADUser-alert-trigger", "_Block-AADUser-alert-trigger": "[variables('Block-AADUser-alert-trigger')]", "playbookVersion1": "1.1", @@ -535,7 +547,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Azure Active Directory data connector with template version 3.0.6", + "description": "Microsoft Entra ID data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -551,9 +563,9 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Azure Active Directory", + "title": "Microsoft Entra ID", "publisher": "Microsoft", - "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "graphQueries": [ { "metricName": "Total data received", @@ -699,7 +711,7 @@ "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -723,7 +735,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Azure Active Directory", + "displayName": "Microsoft Entra ID", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -744,7 +756,7 @@ "version": "[variables('dataConnectorVersion1')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -767,9 +779,9 @@ "kind": "StaticUI", "properties": { "connectorUiConfig": { - "title": "Azure Active Directory", + "title": "Microsoft Entra ID", "publisher": "Microsoft", - "descriptionMarkdown": "Gain insights into Azure Active Directory by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Azure Active Directory scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Azure Active Directory Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "descriptionMarkdown": "Gain insights into Microsoft Entra ID by connecting Audit and Sign-in logs to Microsoft Sentinel to gather insights around Microsoft Entra ID scenarios. You can learn about app usage, conditional access policies, legacy auth relate details using our Sign-in logs. You can get information on your Self Service Password Reset (SSPR) usage, Microsoft Entra ID Management activities like user, group, role, app management using our Audit logs table. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/?linkid=2219715&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "graphQueries": [ { "metricName": "Total data received", @@ -914,7 +926,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.6", + "description": "AzureActiveDirectoryAuditLogsWorkbook Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -928,11 +940,11 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps." }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Azure AD audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Category = 'All', Categorys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Microsoft Entra ID audit logs\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"bc372bf5-2dcd-4efa-aa85-94b6e6fafe14\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}},{\"id\":\"e032b9f7-5449-4180-9c20-75760afa96f6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| where SourceSystem == \\\"Azure AD\\\"\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiator!= \\\"\\\"\\r\\n| summarize Count = count() by initiator\\r\\n| order by Count desc, initiator asc\\r\\n| project Value = initiator, Label = strcat(initiator, ' - ', Count), Selected = false\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0a59a0b3-6d93-4fee-bdbe-147383c510c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Category\\r\\n| order by Count desc, Category asc\\r\\n| project Value = Category, Label = strcat(Category, ' - ', Count)\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4d2b245b-5e59-4eb6-9f51-ba926581ab47\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Result\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| summarize Count = count() by Result\\r\\n| order by Count desc, Result asc\\r\\n| project Value = Result, Label = strcat(Result, ' - ', Count, ' sign-ins')\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\"},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\\r\\n| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User});\\r\\ndata\\r\\n| summarize Count = count() by Category\\r\\n| join kind = fullouter (datatable(Category:string)['Medium', 'high', 'low']) on Category\\r\\n| project Category = iff(Category == '', Category1, Category), Count = iff(Category == '', 0, Count)\\r\\n| join kind = inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Category)\\r\\n on Category\\r\\n| project-away Category1, TimeGenerated\\r\\n| extend Category = Category\\r\\n| union (\\r\\n data \\r\\n | summarize Count = count() \\r\\n | extend jkey = 1\\r\\n | join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\\r\\n | extend jkey = 1) on jkey\\r\\n | extend Category = 'All', Categorys = '*' \\r\\n)\\r\\n| order by Count desc\\r\\n| take 10\",\"size\":4,\"title\":\"Categories volume\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"CategoryFIlter\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":21,\"formatOptions\":{\"palette\":\"purple\",\"showIcon\":true}},\"showBorder\":false}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = AuditLogs\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User})\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where Category == '{CategoryFIlter}' or '{CategoryFIlter}' == \\\"All\\\";\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by OperationName, Category\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName\\r\\n | project-away TimeGenerated) on OperationName\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, TotalCount, Trend, Category\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\"), Category, OperationName\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by OperationName, initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n | project-away TimeGenerated) on OperationName, initiator\\r\\n| order by TotalCount desc, OperationName asc\\r\\n| project OperationName, initiator, TotalCount, Category, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on OperationName\\r\\n| project Id, Name = initiator, Type = 'initiator', ['Operations Count'] = TotalCount, Trend, Category, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = OperationName, Type = 'Operation', ['Operations Count'] = TotalCount, Category, Trend)\\r\\n| order by ['Operations Count'] desc, Name asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"UserInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Type\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Operations Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"blue\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\",\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5,\"formatOptions\":{\"showIcon\":true}}],\"rowLimit\":1000,\"filter\":true,\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"showPin\":true,\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nAuditLogs\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| extend initiatingUserPrincipalName = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n//| where initiatingUserPrincipalName != \\\"\\\" \\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiatingUserPrincipalName in ({User})\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiatingUserPrincipalName == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| summarize Activities = count() by initiatingUserPrincipalName\\r\\n| sort by Activities desc nulls last \",\"size\":0,\"title\":\"Top active users\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let details = dynamic({UserInfo});\\r\\nlet data = AuditLogs\\r\\n| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != \\\"\\\", tostring(InitiatedBy.user.userPrincipalName), \\\"unknown\\\")\\r\\n| where details.Type == '*' or (details.Type == 'initiator' and initiator == details.Name) or (details.Type == 'Operation' and OperationName == details.Name)\\r\\n| where \\\"{Category:lable}\\\" == \\\"All\\\" or Category in ({Category})\\r\\n| where \\\"{Result:lable}\\\" == \\\"All\\\" or Result in ({Result})\\r\\n| where \\\"{User:lable}\\\" == \\\"All\\\" or initiator in ({User});\\r\\nlet appData = data\\r\\n| summarize TotalCount = count() by Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result\\r\\n | project-away TimeGenerated) on Result\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, TotalCount, Trend\\r\\n| serialize Id = row_number();\\r\\ndata\\r\\n| summarize TotalCount = count() by OperationName, Result\\r\\n| join kind=inner (data\\r\\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by Result, OperationName\\r\\n | project-away TimeGenerated) on Result, OperationName\\r\\n| order by TotalCount desc, Result asc\\r\\n| project Result, OperationName, TotalCount, Trend\\r\\n| serialize Id = row_number(1000000)\\r\\n| join kind=inner (appData) on Result\\r\\n| project Id, Name = OperationName, Type = 'Operation', ['Results Count'] = TotalCount, Trend, ParentId = Id1\\r\\n| union (appData \\r\\n | project Id, Name = Result, Type = 'Result', ['Results Count'] = TotalCount, Trend)\\r\\n| order by ['Results Count'] desc, Name asc\",\"size\":0,\"title\":\"Result status\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportParameterName\":\"ResultInfo\",\"exportDefaultValue\":\"{ \\\"Name\\\":\\\"\\\", \\\"Type\\\":\\\"*\\\"}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Id\",\"formatter\":5},{\"columnMatch\":\"Type\",\"formatter\":5},{\"columnMatch\":\"Results Count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"grayBlue\"}},{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},{\"columnMatch\":\"ParentId\",\"formatter\":5}],\"hierarchySettings\":{\"idColumn\":\"Id\",\"parentColumn\":\"ParentId\",\"treeType\":0,\"expanderColumn\":\"Name\"}}},\"customWidth\":\"70\",\"name\":\"query - 5\"}],\"fallbackResourceIds\":[\"\"],\"fromTemplateId\":\"sentinel-AzureActiveDirectoryAuditLogs\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -943,14 +955,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Azure AD Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=AzureActiveDirectoryAuditLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.2.0; title=Microsoft Entra ID Audit logs; templateRelativePath=AzureActiveDirectoryAuditLogs.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1002,7 +1014,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.6", + "description": "AzureActiveDirectorySigninsWorkbook Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1016,7 +1028,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures." }, "properties": { "displayName": "[parameters('workbook2-name')]", @@ -1031,14 +1043,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Azure Active Directory by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Azure AD Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=AzureActiveDirectorySigninLogsWorkbook; logoFileName=azureactivedirectory_logo.svg; description=Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.4.0; title=Microsoft Entra ID Sign-in logs; templateRelativePath=AzureActiveDirectorySignins.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId2')]", "contentId": "[variables('_workbookContentId2')]", "kind": "Workbook", "version": "[variables('workbookVersion2')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1090,7 +1102,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -1132,26 +1144,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "DeletedByIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "DeletedByIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1161,14 +1173,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 1", + "description": "Microsoft Entra ID Analytics Rule 1", "parentId": "[variables('analyticRuleId1')]", "contentId": "[variables('_analyticRulecontentId1')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion1')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1207,7 +1219,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -1249,26 +1261,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedUserIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedUserIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1278,14 +1290,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 2", + "description": "Microsoft Entra ID Analytics Rule 2", "parentId": "[variables('analyticRuleId2')]", "contentId": "[variables('_analyticRulecontentId2')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion2')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1324,7 +1336,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion3')]", @@ -1363,26 +1375,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1392,14 +1404,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 3", + "description": "Microsoft Entra ID Analytics Rule 3", "parentId": "[variables('analyticRuleId3')]", "contentId": "[variables('_analyticRulecontentId3')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion3')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1438,7 +1450,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion4')]", @@ -1480,13 +1492,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -1496,14 +1508,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 4", + "description": "Microsoft Entra ID Analytics Rule 4", "parentId": "[variables('analyticRuleId4')]", "contentId": "[variables('_analyticRulecontentId4')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion4')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1542,7 +1554,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion5')]", @@ -1556,7 +1568,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", + "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", "displayName": "Admin promotion after Role Management Application Permission Grant", "enabled": false, "query": "let query_frequency = 1h;\nlet query_period = 2h;\nAuditLogs\n| where TimeGenerated > ago(query_period)\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\"\n| where OperationName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResource = TargetResources\n| mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n| where tostring(modifiedProperty[\"displayName\"]) == \"AppRole.Value\"\n| extend PermissionGrant = tostring(modifiedProperty[\"newValue\"])\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply modifiedProperty = TargetResource[\"modifiedProperties\"] on (\n summarize modifiedProperties = make_bag(\n bag_pack(tostring(modifiedProperty[\"displayName\"]),\n bag_pack(\"oldValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"oldValue\"])),\n \"newValue\", trim(@'[\\\"\\s]+', tostring(modifiedProperty[\"newValue\"])))), 100)\n)\n| project\n PermissionGrant_TimeGenerated = TimeGenerated,\n PermissionGrant_OperationName = OperationName,\n PermissionGrant_Result = Result,\n PermissionGrant,\n AppDisplayName = tostring(modifiedProperties[\"ServicePrincipal.DisplayName\"][\"newValue\"]),\n AppServicePrincipalId = tostring(modifiedProperties[\"ServicePrincipal.ObjectID\"][\"newValue\"]),\n PermissionGrant_InitiatedBy = InitiatedBy,\n PermissionGrant_TargetResources = TargetResources,\n PermissionGrant_AdditionalDetails = AdditionalDetails,\n PermissionGrant_CorrelationId = CorrelationId\n| join kind=inner (\n AuditLogs\n | where TimeGenerated > ago(query_frequency)\n | where Category =~ \"RoleManagement\" and LoggedByService =~ \"Core Directory\" and AADOperationType =~ \"Assign\"\n | where isnotempty(InitiatedBy[\"app\"])\n | mv-expand TargetResource = TargetResources\n | mv-expand modifiedProperty = TargetResource[\"modifiedProperties\"]\n | where tostring(modifiedProperty[\"displayName\"]) in (\"Role.DisplayName\", \"RoleDefinition.DisplayName\")\n | extend RoleAssignment = tostring(modifiedProperty[\"newValue\"])\n | where RoleAssignment contains \"Admin\"\n | project\n RoleAssignment_TimeGenerated = TimeGenerated,\n RoleAssignment_OperationName = OperationName,\n RoleAssignment_Result = Result,\n RoleAssignment,\n TargetType = tostring(TargetResources[0][\"type\"]),\n Target = iff(isnotempty(TargetResources[0][\"displayName\"]), tostring(TargetResources[0][\"displayName\"]), tolower(TargetResources[0][\"userPrincipalName\"])),\n TargetId = tostring(TargetResources[0][\"id\"]),\n RoleAssignment_InitiatedBy = InitiatedBy,\n RoleAssignment_TargetResources = TargetResources,\n RoleAssignment_AdditionalDetails = AdditionalDetails,\n RoleAssignment_CorrelationId = CorrelationId,\n AppServicePrincipalId = tostring(InitiatedBy[\"app\"][\"servicePrincipalId\"])\n ) on AppServicePrincipalId\n| where PermissionGrant_TimeGenerated < RoleAssignment_TimeGenerated\n| extend\n TargetName = tostring(split(Target, \"@\")[0]),\n TargetUPNSuffix = tostring(split(Target, \"@\")[1])\n| project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId\n", @@ -1586,26 +1598,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AppDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AppDisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -1615,14 +1627,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 5", + "description": "Microsoft Entra ID Analytics Rule 5", "parentId": "[variables('analyticRuleId5')]", "contentId": "[variables('_analyticRulecontentId5')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion5')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1661,7 +1673,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion6')]", @@ -1675,7 +1687,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application", + "description": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application", "displayName": "Anomalous sign-in location by user account and authenticating application", "enabled": false, "query": "// Adjust this figure to adjust how sensitive this detection is\nlet sensitivity = 2.5;\nlet AuthEvents = materialize(\nunion isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs\n| where TimeGenerated > ago(7d)\n| where ResultType == 0\n| extend LocationDetails = LocationDetails_dynamic\n| extend Location = strcat(LocationDetails.countryOrRegion, \"-\", LocationDetails.state,\"-\", LocationDetails.city)\n| where Location != \"--\");\nAuthEvents\n| summarize dcount(Location) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)\n| where dcount_Location > 2\n| summarize CountOfLocations = make_list(dcount_Location, 10000), TimeStamp = make_list(TimeGenerated, 10000) by AppId, UserId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')\n| mv-expand CountOfLocations to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId\n| extend SignInDetails = bag_pack(\"TimeGenerated\", TimeGenerated, \"Location\", Location, \"Source\", IPAddress, \"Device\", DeviceDetail_dynamic)\n| summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeStamp, AppId, AppDisplayName\n| extend Name = split(UserPrincipalName, \"@\")[0], UPNSuffix = split(UserPrincipalName, \"@\")[1]\n", @@ -1709,21 +1721,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" } ], "eventGroupingSettings": { @@ -1734,7 +1746,7 @@ }, "alertDetailsOverride": { "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}", - "alertDescriptionFormat": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active\nDirectory application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n" + "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n" } } }, @@ -1743,14 +1755,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 6", + "description": "Microsoft Entra ID Analytics Rule 6", "parentId": "[variables('analyticRuleId6')]", "contentId": "[variables('_analyticRulecontentId6')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion6')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1789,7 +1801,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion7')]", @@ -1831,39 +1843,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IP", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP" } - ] + ], + "entityType": "IP" } ] } @@ -1873,14 +1885,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 7", + "description": "Microsoft Entra ID Analytics Rule 7", "parentId": "[variables('analyticRuleId7')]", "contentId": "[variables('_analyticRulecontentId7')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion7')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1919,7 +1931,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion8')]", @@ -1933,8 +1945,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", - "displayName": "Azure Active Directory PowerShell accessing non-AAD resources", + "description": "This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.", + "displayName": "Microsoft Entra ID PowerShell accessing non-Entra ID resources", "enabled": false, "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", "queryFrequency": "PT1H", @@ -1967,30 +1979,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -2000,14 +2012,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 8", + "description": "Microsoft Entra ID Analytics Rule 8", "parentId": "[variables('analyticRuleId8')]", "contentId": "[variables('_analyticRulecontentId8')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion8')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2031,7 +2043,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId8')]", "contentKind": "AnalyticsRule", - "displayName": "Azure Active Directory PowerShell accessing non-AAD resources", + "displayName": "Microsoft Entra ID PowerShell accessing non-Entra ID resources", "contentProductId": "[variables('_analyticRulecontentProductId8')]", "id": "[variables('_analyticRulecontentProductId8')]", "version": "[variables('analyticRuleVersion8')]" @@ -2046,7 +2058,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion9')]", @@ -2060,8 +2072,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", - "displayName": "Azure AD Role Management Permission Grant", + "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http", + "displayName": "Microsoft Entra ID Role Management Permission Grant", "enabled": false, "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\" and LoggedByService =~ \"Core Directory\" and OperationName in~ (\"Add delegated permission grant\", \"Add app role assignment to service principal\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n | extend props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName in~ (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n | extend DisplayName = tostring(Property.displayName), PermissionGrant = trim('\"',tostring(Property.newValue))\n )\n| where PermissionGrant has \"RoleManagement.ReadWrite.Directory\"\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.DisplayName\"\n | extend AppDisplayName = trim('\"',tostring(Property.newValue))\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"ServicePrincipal.ObjectID\"\n | extend AppServicePrincipalId = trim('\"',tostring(Property.newValue))\n )\n| extend \n Initiator = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.displayName), tostring(InitiatedBy.user.userPrincipalName)),\n InitiatorId = iif(isnotempty(InitiatedBy.app), tostring(InitiatedBy.app.servicePrincipalId), tostring(InitiatedBy.user.id))\n| project TimeGenerated, OperationName, Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, Initiator, InitiatorId, InitiatedBy, TargetResources, AdditionalDetails, CorrelationId\n| extend Name = tostring(split(Initiator,'@',0)[0]), UPNSuffix = tostring(split(Initiator,'@',1)[0])\n", "queryFrequency": "PT2H", @@ -2090,26 +2102,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AppDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AppDisplayName" } - ] + ], + "entityType": "Account" } ] } @@ -2119,14 +2131,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 9", + "description": "Microsoft Entra ID Analytics Rule 9", "parentId": "[variables('analyticRuleId9')]", "contentId": "[variables('_analyticRulecontentId9')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion9')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2150,7 +2162,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId9')]", "contentKind": "AnalyticsRule", - "displayName": "Azure AD Role Management Permission Grant", + "displayName": "Microsoft Entra ID Role Management Permission Grant", "contentProductId": "[variables('_analyticRulecontentProductId9')]", "id": "[variables('_analyticRulecontentProductId9')]", "version": "[variables('analyticRuleVersion9')]" @@ -2165,7 +2177,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion10')]", @@ -2207,30 +2219,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ], "alertDetailsOverride": { @@ -2244,14 +2256,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 10", + "description": "Microsoft Entra ID Analytics Rule 10", "parentId": "[variables('analyticRuleId10')]", "contentId": "[variables('_analyticRulecontentId10')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion10')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2290,7 +2302,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion11')]", @@ -2304,7 +2316,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.", + "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Microsoft Entra ID, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.", "displayName": "Brute Force Attack against GitHub Account", "enabled": false, "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h; \nlet sensitivity = 2.5;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where TimeGenerated between (ago(EndLearningTime) .. ago(EndRunTime))\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType != 0\n| make-series FailedLogins = count() on TimeGenerated from ago(LearningPeriod) to ago(EndRunTime) step BinTime by UserPrincipalName, Type\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(FailedLogins, sensitivity, -1, 'linefit')\n| mv-expand FailedLogins to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) \n| where TimeGenerated >= ago(RunTime)\n| where Anomalies > 0 and Baseline > 0\n| join kind=inner (\n table(tableName) \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | where AppDisplayName =~ \"GitHub.com\"\n | where ResultType != 0\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddresses = make_set(IPAddress,100), Locations = make_set(LocationDetails,20), Devices = make_set(DeviceDetail,20) by UserPrincipalName \n ) on UserPrincipalName\n| extend timestamp = TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", @@ -2338,17 +2350,17 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -2358,14 +2370,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 11", + "description": "Microsoft Entra ID Analytics Rule 11", "parentId": "[variables('analyticRuleId11')]", "contentId": "[variables('_analyticRulecontentId11')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion11')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2404,7 +2416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion12')]", @@ -2446,26 +2458,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddressFirst", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddressFirst" } - ] + ], + "entityType": "IP" } ] } @@ -2475,14 +2487,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 12", + "description": "Microsoft Entra ID Analytics Rule 12", "parentId": "[variables('analyticRuleId12')]", "contentId": "[variables('_analyticRulecontentId12')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion12')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2521,7 +2533,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion13')]", @@ -2563,30 +2575,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByUserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatedByUserName" }, { - "columnName": "InitiatedByUserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatedByUserUPNSuffix" } - ] + ], + "entityType": "Account" } ], "customDetails": { @@ -2600,14 +2612,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 13", + "description": "Microsoft Entra ID Analytics Rule 13", "parentId": "[variables('analyticRuleId13')]", "contentId": "[variables('_analyticRulecontentId13')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion13')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2646,7 +2658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion14')]", @@ -2660,8 +2672,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown", - "displayName": "Attempt to bypass conditional access rule in Azure AD", + "description": "Identifies an attempt to Bypass conditional access rule(s) in Microsoft Entra ID.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences:\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown", + "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", "enabled": false, "query": "let threshold = 1; // Modify this threshold value to reduce false positives based on your environment\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| mv-apply CAP = parse_json(ConditionalAccessPolicies) on (\n project ConditionalAccessPoliciesName = CAP.displayName, result = CAP.result\n | where result =~ \"failure\"\n)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend Status = strcat(StatusCode, \": \", ResultDescription)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status,10), StatusDetails = make_list(StatusDetails,50), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId,100), ConditionalAccessPoliciesName = make_list(ConditionalAccessPoliciesName,100)\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mv-expand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses,100), Status = make_set(Status,10), CorrelationIds = make_set(CorrelationIds,100), ConditionalAccessPoliciesName = make_set(ConditionalAccessPoliciesName,100)\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, IPAddressCount, Type\n| extend timestamp = StartTime, IPAddresses = tostring(IPAddresses), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", "queryFrequency": "P1D", @@ -2696,26 +2708,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddresses", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddresses" } - ] + ], + "entityType": "IP" } ] } @@ -2725,14 +2737,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 14", + "description": "Microsoft Entra ID Analytics Rule 14", "parentId": "[variables('analyticRuleId14')]", "contentId": "[variables('_analyticRulecontentId14')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion14')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2756,7 +2768,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId14')]", "contentKind": "AnalyticsRule", - "displayName": "Attempt to bypass conditional access rule in Azure AD", + "displayName": "Attempt to bypass conditional access rule in Microsoft Entra ID", "contentProductId": "[variables('_analyticRulecontentProductId14')]", "id": "[variables('_analyticRulecontentProductId14')]", "version": "[variables('analyticRuleVersion14')]" @@ -2771,7 +2783,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion15')]", @@ -2810,26 +2822,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "Consent_InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "Consent_InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -2839,14 +2851,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 15", + "description": "Microsoft Entra ID Analytics Rule 15", "parentId": "[variables('analyticRuleId15')]", "contentId": "[variables('_analyticRulecontentId15')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion15')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -2885,7 +2897,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion16')]", @@ -2899,7 +2911,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Azure AD Cross-tenant Access Settings.", + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is added other than the list that is supposed to exist from the Microsoft Entra ID Cross-tenant Access Settings.", "displayName": "Cross-tenant Access Settings Organization Added", "enabled": false, "query": "// Tenants IDs can be found by navigating to Azure Active Directory then from menu on the left, select External Identities, then from menu on the left, select Cross-tenant access settings and from the list shown of Tenants\nlet ExpectedTenantIDs = dynamic([\"List of expected tenant IDs\",\"Tenant ID 2\"]);\nAuditLogs\n| where OperationName has \"Add a partner to cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantIDAdded = trim('\"',tostring(Property.newValue))\n )\n| where ExtTenantIDAdded !in (ExpectedTenantIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", @@ -2931,26 +2943,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -2960,14 +2972,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 16", + "description": "Microsoft Entra ID Analytics Rule 16", "parentId": "[variables('analyticRuleId16')]", "contentId": "[variables('_analyticRulecontentId16')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion16')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3006,7 +3018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion17')]", @@ -3020,7 +3032,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Azure AD Cross-tenant Access Settings.", + "description": "Organizations are added in the Cross-tenant Access Settings to control communication inbound or outbound for users and applications. This detection notifies when an Organization is deleted from the Microsoft Entra ID Cross-tenant Access Settings.", "displayName": "Cross-tenant Access Settings Organization Deleted", "enabled": false, "query": "AuditLogs\n| where OperationName has \"Delete partner specific cross-tenant access setting\"\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress\n| mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type =~ \"Policy\"\n | extend Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"tenantId\"\n | extend ExtTenantDeleted = trim('\"',tostring(Property.oldValue))\n )\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", @@ -3052,26 +3064,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3081,14 +3093,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 17", + "description": "Microsoft Entra ID Analytics Rule 17", "parentId": "[variables('analyticRuleId17')]", "contentId": "[variables('_analyticRulecontentId17')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion17')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3127,7 +3139,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion18')]", @@ -3173,26 +3185,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3202,14 +3214,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 18", + "description": "Microsoft Entra ID Analytics Rule 18", "parentId": "[variables('analyticRuleId18')]", "contentId": "[variables('_analyticRulecontentId18')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion18')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3248,7 +3260,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion19')]", @@ -3294,26 +3306,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3323,14 +3335,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 19", + "description": "Microsoft Entra ID Analytics Rule 19", "parentId": "[variables('analyticRuleId19')]", "contentId": "[variables('_analyticRulecontentId19')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion19')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3369,7 +3381,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion20')]", @@ -3415,26 +3427,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3444,14 +3456,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 20", + "description": "Microsoft Entra ID Analytics Rule 20", "parentId": "[variables('analyticRuleId20')]", "contentId": "[variables('_analyticRulecontentId20')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion20')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3490,7 +3502,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion21')]", @@ -3536,26 +3548,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -3565,14 +3577,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 21", + "description": "Microsoft Entra ID Analytics Rule 21", "parentId": "[variables('analyticRuleId21')]", "contentId": "[variables('_analyticRulecontentId21')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion21')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3611,7 +3623,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion22')]", @@ -3659,26 +3671,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -3688,14 +3700,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId22'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 22", + "description": "Microsoft Entra ID Analytics Rule 22", "parentId": "[variables('analyticRuleId22')]", "contentId": "[variables('_analyticRulecontentId22')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion22')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3734,7 +3746,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion23')]", @@ -3748,8 +3760,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.", - "displayName": "Distributed Password cracking attempts in AzureAD", + "description": "Identifies distributed password cracking attempts from the Microsoft Entra ID SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.", + "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", "enabled": false, "query": "let s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString,100),\nIPAddress = make_set(IPAddress,100), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName,100), ResultDescription = make_set(ResultDescription,50),\nBrowser = make_set(Browser,20), OS = make_set(OS,20), SigninCount = count() by UserPrincipalName, Type\n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend Location = tostring(Location), IPAddress = tostring(IPAddress), AppDisplayName = tostring(AppDisplayName), ResultDescription = tostring(ResultDescription), Browser = tostring(Browser), OS = tostring(OS)\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", "queryFrequency": "P1D", @@ -3782,26 +3794,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -3811,14 +3823,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId23'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 23", + "description": "Microsoft Entra ID Analytics Rule 23", "parentId": "[variables('analyticRuleId23')]", "contentId": "[variables('_analyticRulecontentId23')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion23')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3842,7 +3854,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId23')]", "contentKind": "AnalyticsRule", - "displayName": "Distributed Password cracking attempts in AzureAD", + "displayName": "Distributed Password cracking attempts in Microsoft Entra ID", "contentProductId": "[variables('_analyticRulecontentProductId23')]", "id": "[variables('_analyticRulecontentProductId23')]", "version": "[variables('analyticRuleVersion23')]" @@ -3857,7 +3869,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion24')]", @@ -3905,35 +3917,35 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "columnName": "ClientAppUsed", - "identifier": "Url" + "identifier": "Url", + "columnName": "ClientAppUsed" } - ] + ], + "entityType": "URL" } ] } @@ -3943,14 +3955,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId24'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 24", + "description": "Microsoft Entra ID Analytics Rule 24", "parentId": "[variables('analyticRuleId24')]", "contentId": "[variables('_analyticRulecontentId24')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion24')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -3989,7 +4001,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion25')]", @@ -4031,32 +4043,32 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ], "customDetails": { "OAuthAppId": "AppId", - "UserAgent": "GrantUserAgent", - "OAuthApplication": "OAuthAppName" + "OAuthApplication": "OAuthAppName", + "UserAgent": "GrantUserAgent" }, "alertDetailsOverride": { "alertDisplayNameFormat": "User {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}", @@ -4069,14 +4081,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId25'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 25", + "description": "Microsoft Entra ID Analytics Rule 25", "parentId": "[variables('analyticRuleId25')]", "contentId": "[variables('_analyticRulecontentId25')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion25')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4115,7 +4127,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion26')]", @@ -4129,7 +4141,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "description": "Identifies failed login attempts in the Microsoft Entra ID SigninLogs to the Azure Portal. Many failed logon\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.\nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", "displayName": "Failed login attempts to Azure Portal", "enabled": false, "query": "let timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\", \"70044\", \"70043\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins\n) on UserPrincipalName\n| where TimeGenerated > TimeGenerated1 or isempty(TimeGenerated1)\n| project-away TimeGenerated1, UserPrincipalName1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup\n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City) \n| summarize TimeGenerated = make_list(TimeGenerated,100), Status = make_list(Status,100), IPAddresses = make_list(IPAddress,100), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", @@ -4163,26 +4175,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4192,14 +4204,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId26'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 26", + "description": "Microsoft Entra ID Analytics Rule 26", "parentId": "[variables('analyticRuleId26')]", "contentId": "[variables('_analyticRulecontentId26')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion26')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4238,7 +4250,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion27')]", @@ -4280,35 +4292,35 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "targetDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "targetDisplayName" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -4318,14 +4330,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId27'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 27", + "description": "Microsoft Entra ID Analytics Rule 27", "parentId": "[variables('analyticRuleId27')]", "contentId": "[variables('_analyticRulecontentId27')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion27')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4364,7 +4376,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion28')]", @@ -4378,12 +4390,12 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", - "displayName": "Guest accounts added in AAD Groups other than the ones specified", + "description": "Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.", + "displayName": "Guest accounts added in Entra ID Groups other than the ones specified", "enabled": false, "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatedByActionUserInformation,'@',0)[0]), UPNSuffix = tostring(split(InitiatedByActionUserInformation,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -4410,35 +4422,35 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InvitedUser", - "identifier": "Name" + "identifier": "Name", + "columnName": "InvitedUser" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatedByIPAdress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatedByIPAdress" } - ] + ], + "entityType": "IP" } ] } @@ -4448,14 +4460,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId28'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 28", + "description": "Microsoft Entra ID Analytics Rule 28", "parentId": "[variables('analyticRuleId28')]", "contentId": "[variables('_analyticRulecontentId28')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion28')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4479,7 +4491,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId28')]", "contentKind": "AnalyticsRule", - "displayName": "Guest accounts added in AAD Groups other than the ones specified", + "displayName": "Guest accounts added in Entra ID Groups other than the ones specified", "contentProductId": "[variables('_analyticRulecontentProductId28')]", "id": "[variables('_analyticRulecontentProductId28')]", "version": "[variables('analyticRuleVersion28')]" @@ -4494,7 +4506,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion29')]", @@ -4536,26 +4548,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "UserIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "UserIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4565,14 +4577,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId29'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 29", + "description": "Microsoft Entra ID Analytics Rule 29", "parentId": "[variables('analyticRuleId29')]", "contentId": "[variables('_analyticRulecontentId29')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion29')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4611,7 +4623,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion30')]", @@ -4655,35 +4667,35 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "AppDisplayName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AppDisplayName" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -4693,14 +4705,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId30'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 30", + "description": "Microsoft Entra ID Analytics Rule 30", "parentId": "[variables('analyticRuleId30')]", "contentId": "[variables('_analyticRulecontentId30')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion30')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4739,7 +4751,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion31')]", @@ -4783,26 +4795,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4812,14 +4824,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId31'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 31", + "description": "Microsoft Entra ID Analytics Rule 31", "parentId": "[variables('analyticRuleId31')]", "contentId": "[variables('_analyticRulecontentId31')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion31')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4858,7 +4870,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion32')]", @@ -4912,30 +4924,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" }, { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -4945,14 +4957,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId32'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 32", + "description": "Microsoft Entra ID Analytics Rule 32", "parentId": "[variables('analyticRuleId32')]", "contentId": "[variables('_analyticRulecontentId32')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion32')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -4991,7 +5003,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion33')]", @@ -5005,13 +5017,13 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.", - "displayName": "Multiple admin membership removals from newly created admin.", + "description": "Identifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window,\nDefault Failure count is 10 and 1 successful login with default Time Window is 5 minutes.", + "displayName": "MFA Spamming followed by Successful login", "enabled": false, - "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.oldValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "Medium", + "query": "// Filter for sign-in logs ingested within the last day\nSigninLogs\n| where ingestion_time() > ago(1d)\n// Filter for records with AuthenticationRequirement set to multiFactorAuthentication\n| where AuthenticationRequirement == \"multiFactorAuthentication\"\n// Extract information from dynamic columns DeviceDetail and LocationDetails\n| extend DeviceDetail = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n// Extract specific attributes from DeviceDetail and LocationDetails\n| extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n// Expand multi-value property AuthenticationDetails into separate records\n| mv-expand todynamic(AuthenticationDetails)\n// Parse AuthResult from JSON in AuthenticationDetails and convert to string\n| extend AuthResult = tostring(parse_json(AuthenticationDetails).authenticationStepResultDetail)\n// Summarize data by aggregating statistics for each user, IP, and AuthResult\n| summarize FailedAttempts = countif(AuthResult == \"MFA denied; user declined the authentication\" or AuthResult == \"MFA denied; user did not respond to mobile app notification\"), SuccessfulAttempts = countif(AuthResult == \"MFA successfully completed\"), InvolvedOS = make_set(OS, 5), InvolvedBrowser = make_set(Browser), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, IPAddress, State, City, Region\n// Calculate AuthenticationWindow by finding time difference between start and end times\n| extend AuthenticationWindow = (EndTime - StartTime)\n// Filter for records with more than 10 failed attempts in 5-minute window and at least 1 successful attempt\n| where FailedAttempts > 10 and AuthenticationWindow <= 5m and SuccessfulAttempts >= 1\n// Extract user's name and UPN suffix using split function\n| extend Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -5021,29 +5033,38 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" + "SigninLogs" ] } ], "tactics": [ - "Impact" + "CredentialAccess" ], "techniques": [ - "T1531" + "T1110" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" } ] } @@ -5053,14 +5074,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId33'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 33", + "description": "Microsoft Entra ID Analytics Rule 33", "parentId": "[variables('analyticRuleId33')]", "contentId": "[variables('_analyticRulecontentId33')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion33')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5084,7 +5105,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId33')]", "contentKind": "AnalyticsRule", - "displayName": "Multiple admin membership removals from newly created admin.", + "displayName": "MFA Spamming followed by Successful login", "contentProductId": "[variables('_analyticRulecontentProductId33')]", "id": "[variables('_analyticRulecontentProductId33')]", "version": "[variables('analyticRuleVersion33')]" @@ -5099,7 +5120,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion34')]", @@ -5113,12 +5134,12 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "New access credential added to Application or Service Principal", + "description": "This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.", + "displayName": "Multiple admin membership removals from newly created admin.", "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "query": "let lookback = 7d; \nlet timeframe = 1h; \nlet GlobalAdminsRemoved = AuditLogs \n| where TimeGenerated > ago(timeframe) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Unassign\", \"RemoveEligibleRole\") \n| where ActivityDisplayName has_any (\"Remove member from role\", \"Remove eligible member from role\") \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.oldValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target,100) by OperationName, RoleName, Initiator, Result; \nlet GlobalAdminsAdded = AuditLogs \n| where TimeGenerated > ago(lookback) \n| where Category =~ \"RoleManagement\" \n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\") \n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\") and Result == \"success\" \n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = tostring(TargetResource.userPrincipalName),\n props = TargetResource.modifiedProperties\n )\n| mv-apply Property = props on \n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName =~ \"Global Administrator\" // Add other Privileged role if applicable \n| extend InitiatingApp = tostring(InitiatedBy.app.displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) \n| where Initiator != \"MS-PIM\" // Filtering PIM events \n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \n| extend AccountCustomEntity = Target; \nGlobalAdminsAdded \n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \n| where AddedGlobalAdminTime < RemovedGlobalAdminTime \n| extend NoofAdminsRemoved = array_length(TargetAdmins) \n| where NoofAdminsRemoved > 1\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\n| extend Name = tostring(split(AccountCustomEntity,'@',0)[0]), UPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n", "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -5134,33 +5155,24 @@ } ], "tactics": [ - "DefenseEvasion" + "Impact" ], "techniques": [ - "T1550" + "T1531" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "InitiatingIpAddress", - "identifier": "Address" - } - ] + ], + "entityType": "Account" } ] } @@ -5170,14 +5182,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId34'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 34", + "description": "Microsoft Entra ID Analytics Rule 34", "parentId": "[variables('analyticRuleId34')]", "contentId": "[variables('_analyticRulecontentId34')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion34')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5201,7 +5213,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId34')]", "contentKind": "AnalyticsRule", - "displayName": "New access credential added to Application or Service Principal", + "displayName": "Multiple admin membership removals from newly created admin.", "contentProductId": "[variables('_analyticRulecontentProductId34')]", "id": "[variables('_analyticRulecontentProductId34')]", "version": "[variables('analyticRuleVersion34')]" @@ -5216,7 +5228,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion35')]", @@ -5227,16 +5239,20 @@ "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRulecontentId35')]", "apiVersion": "2022-04-01-preview", - "kind": "NRT", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT Modified domain federation trust settings", + "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.", + "displayName": "New onmicrosoft domain added to tenant", "enabled": false, - "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "High", + "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { @@ -5247,32 +5263,55 @@ } ], "tactics": [ - "CredentialAccess" + "ResourceDevelopment" + ], + "techniques": [ + "T1585" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "AadUserId", + "columnName": "InitiatingSPID" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIp" } - ] + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "DomainAdded" + } + ], + "entityType": "DNS" } - ] + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}", + "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose." + } } }, { @@ -5280,14 +5319,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId35'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 35", + "description": "Microsoft Entra ID Analytics Rule 35", "parentId": "[variables('analyticRuleId35')]", "contentId": "[variables('_analyticRulecontentId35')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion35')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5311,7 +5350,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId35')]", "contentKind": "AnalyticsRule", - "displayName": "NRT Modified domain federation trust settings", + "displayName": "New onmicrosoft domain added to tenant", "contentProductId": "[variables('_analyticRulecontentProductId35')]", "id": "[variables('_analyticRulecontentProductId35')]", "version": "[variables('analyticRuleVersion35')]" @@ -5326,7 +5365,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion36')]", @@ -5337,16 +5376,20 @@ "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRulecontentId36')]", "apiVersion": "2022-04-01-preview", - "kind": "NRT", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.", - "displayName": "NRT Authentication Methods Changed for VIP Users", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "New access credential added to Application or Service Principal", "enabled": false, - "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n", + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { @@ -5357,33 +5400,33 @@ } ], "tactics": [ - "Persistence" + "DefenseEvasion" ], "techniques": [ - "T1098" + "T1550" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IP", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5393,14 +5436,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId36'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 36", + "description": "Microsoft Entra ID Analytics Rule 36", "parentId": "[variables('analyticRuleId36')]", "contentId": "[variables('_analyticRulecontentId36')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion36')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5424,7 +5467,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId36')]", "contentKind": "AnalyticsRule", - "displayName": "NRT Authentication Methods Changed for VIP Users", + "displayName": "New access credential added to Application or Service Principal", "contentProductId": "[variables('_analyticRulecontentProductId36')]", "id": "[variables('_analyticRulecontentProductId36')]", "version": "[variables('analyticRuleVersion36')]" @@ -5439,7 +5482,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion37')]", @@ -5453,11 +5496,11 @@ "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", + "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT Modified domain federation trust settings", "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", - "severity": "Medium", + "query": "AuditLogs\n| where OperationName =~ \"Set federation settings on domain\" or OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-apply Property = modifiedProperties on \n (\n where Property.displayName =~ \"LiveType\"\n | extend targetDisplayName = tostring(Property.displayName),\n NewDomainValue = tostring(Property.newValue)\n )\n| extend Federated = iif(OperationName =~ \"Set domain authentication\", iif(NewDomainValue has \"Federated\", True, False), True)\n| where Federated == True\n| mv-expand AdditionalDetails\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", @@ -5470,33 +5513,30 @@ } ], "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1550" + "CredentialAccess" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5506,14 +5546,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId37'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 37", + "description": "Microsoft Entra ID Analytics Rule 37", "parentId": "[variables('analyticRuleId37')]", "contentId": "[variables('_analyticRulecontentId37')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion37')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5537,7 +5577,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId37')]", "contentKind": "AnalyticsRule", - "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", + "displayName": "NRT Modified domain federation trust settings", "contentProductId": "[variables('_analyticRulecontentProductId37')]", "id": "[variables('_analyticRulecontentProductId37')]", "version": "[variables('analyticRuleVersion37')]" @@ -5552,7 +5592,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion38')]", @@ -5566,10 +5606,10 @@ "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "NRT New access credential added to Application or Service Principal", + "description": "Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.", + "displayName": "NRT Authentication Methods Changed for VIP Users", "enabled": false, - "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct \"User Principal Name\");\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -5583,33 +5623,33 @@ } ], "tactics": [ - "DefenseEvasion" + "Persistence" ], "techniques": [ - "T1550" + "T1098" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IP" } - ] + ], + "entityType": "IP" } ] } @@ -5619,14 +5659,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId38'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 38", + "description": "Microsoft Entra ID Analytics Rule 38", "parentId": "[variables('analyticRuleId38')]", "contentId": "[variables('_analyticRulecontentId38')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion38')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5650,7 +5690,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId38')]", "contentKind": "AnalyticsRule", - "displayName": "NRT New access credential added to Application or Service Principal", + "displayName": "NRT Authentication Methods Changed for VIP Users", "contentProductId": "[variables('_analyticRulecontentProductId38')]", "id": "[variables('_analyticRulecontentProductId38')]", "version": "[variables('analyticRuleVersion38')]" @@ -5665,7 +5705,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion39')]", @@ -5679,11 +5719,11 @@ "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "NRT PIM Elevation Request Rejected", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", "enabled": false, - "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", - "severity": "High", + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set == \"[]\"\n| mv-expand new_value_set\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\"\n | mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", @@ -5696,46 +5736,33 @@ } ], "tactics": [ - "Persistence" + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1550" ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatingName", - "identifier": "Name" - }, - { - "columnName": "InitiatingUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5745,14 +5772,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId39'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 39", + "description": "Microsoft Entra ID Analytics Rule 39", "parentId": "[variables('analyticRuleId39')]", "contentId": "[variables('_analyticRulecontentId39')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion39')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5776,7 +5803,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId39')]", "contentKind": "AnalyticsRule", - "displayName": "NRT PIM Elevation Request Rejected", + "displayName": "NRT First access credential added to Application or Service Principal where no credential was present", "contentProductId": "[variables('_analyticRulecontentProductId39')]", "id": "[variables('_analyticRulecontentProductId39')]", "version": "[variables('analyticRuleVersion39')]" @@ -5791,7 +5818,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion40')]", @@ -5805,11 +5832,11 @@ "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "NRT Privileged Role Assigned Outside PIM", + "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "NRT New access credential added to Application or Service Principal", "enabled": false, - "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "severity": "Low", + "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"Application\"\n | extend targetDisplayName = tostring(TargetResource.displayName),\n targetId = tostring(TargetResource.id),\n targetType = tostring(TargetResource.type),\n keyEvents = TargetResource.modifiedProperties\n )\n| mv-apply Property = keyEvents on \n (\n where Property.displayName =~ \"KeyDescription\"\n | extend new_value_set = parse_json(tostring(Property.newValue)),\n old_value_set = parse_json(tostring(Property.oldValue))\n )\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where diff != \"[]\"\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage =~ \"Verify\"\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])\n", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", @@ -5822,33 +5849,33 @@ } ], "tactics": [ - "PrivilegeEscalation" + "DefenseEvasion" ], "techniques": [ - "T1078" + "T1550" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -5858,14 +5885,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId40'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 40", + "description": "Microsoft Entra ID Analytics Rule 40", "parentId": "[variables('analyticRuleId40')]", "contentId": "[variables('_analyticRulecontentId40')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion40')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -5889,7 +5916,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId40')]", "contentKind": "AnalyticsRule", - "displayName": "NRT Privileged Role Assigned Outside PIM", + "displayName": "NRT New access credential added to Application or Service Principal", "contentProductId": "[variables('_analyticRulecontentProductId40')]", "id": "[variables('_analyticRulecontentProductId40')]", "version": "[variables('analyticRuleVersion40')]" @@ -5904,7 +5931,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion41')]", @@ -5918,11 +5945,11 @@ "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", - "displayName": "NRT User added to Azure Active Directory Privileged Groups", + "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "NRT PIM Elevation Request Rejected", "enabled": false, - "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", - "severity": "Medium", + "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result =~ \"failure\"\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", @@ -5935,40 +5962,47 @@ } ], "tactics": [ - "Persistence", - "PrivilegeEscalation" + "Persistence" ], "techniques": [ - "T1098", "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserUPNSuffix" } - ] - } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "InitiatingIpAddress" + } + ], + "entityType": "IP" + } ] } }, @@ -5977,14 +6011,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId41'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 41", + "description": "Microsoft Entra ID Analytics Rule 41", "parentId": "[variables('analyticRuleId41')]", "contentId": "[variables('_analyticRulecontentId41')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion41')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6008,7 +6042,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId41')]", "contentKind": "AnalyticsRule", - "displayName": "NRT User added to Azure Active Directory Privileged Groups", + "displayName": "NRT PIM Elevation Request Rejected", "contentProductId": "[variables('_analyticRulecontentProductId41')]", "id": "[variables('_analyticRulecontentProductId41')]", "version": "[variables('analyticRuleVersion41')]" @@ -6023,7 +6057,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion42')]", @@ -6034,20 +6068,16 @@ "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRulecontentId42')]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", - "displayName": "PIM Elevation Request Rejected", + "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "NRT Privileged Role Assigned Outside PIM", "enabled": false, - "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", - "queryFrequency": "PT2H", - "queryPeriod": "PT2H", - "severity": "High", + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { @@ -6058,46 +6088,33 @@ } ], "tactics": [ - "Persistence" + "PrivilegeEscalation" ], "techniques": [ "T1078" ], "entityMappings": [ { - "entityType": "Account", - "fieldMappings": [ - { - "columnName": "InitiatingName", - "identifier": "Name" - }, - { - "columnName": "InitiatingUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6107,14 +6124,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId42'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 42", + "description": "Microsoft Entra ID Analytics Rule 42", "parentId": "[variables('analyticRuleId42')]", "contentId": "[variables('_analyticRulecontentId42')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion42')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6138,7 +6155,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId42')]", "contentKind": "AnalyticsRule", - "displayName": "PIM Elevation Request Rejected", + "displayName": "NRT Privileged Role Assigned Outside PIM", "contentProductId": "[variables('_analyticRulecontentProductId42')]", "id": "[variables('_analyticRulecontentProductId42')]", "version": "[variables('analyticRuleVersion42')]" @@ -6153,7 +6170,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion43')]", @@ -6164,63 +6181,59 @@ "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRulecontentId43')]", "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { - "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "displayName": "Privileged Accounts - Sign in Failure Spikes", + "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", + "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", "enabled": false, - "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n IdentityInfo\n | where TimeGenerated > ago(starttime)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n | join kind=inner (\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n ) on $left.AccountUPN == $right.UserPrincipalName\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n allSignins\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n // Filtering low count events per baselinethreshold\n | where anomalies > 0 and baseline > baselinethreshold\n | extend AnomalyHour = TimeGenerated\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "High", + "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ] } ], "tactics": [ - "InitialAccess" + "Persistence", + "PrivilegeEscalation" ], "techniques": [ + "T1098", "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Name", + "columnName": "TargetName" + }, + { + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -6230,14 +6243,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId43'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 43", + "description": "Microsoft Entra ID Analytics Rule 43", "parentId": "[variables('analyticRuleId43')]", "contentId": "[variables('_analyticRulecontentId43')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion43')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6261,7 +6274,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId43')]", "contentKind": "AnalyticsRule", - "displayName": "Privileged Accounts - Sign in Failure Spikes", + "displayName": "NRT User added to Microsoft Entra ID Privileged Groups", "contentProductId": "[variables('_analyticRulecontentProductId43')]", "id": "[variables('_analyticRulecontentProductId43')]", "version": "[variables('analyticRuleVersion43')]" @@ -6276,7 +6289,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion44')]", @@ -6290,13 +6303,13 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", - "displayName": "Privileged Role Assigned Outside PIM", + "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management", + "displayName": "PIM Elevation Request Rejected", "enabled": false, - "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Low", + "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"Role\"\n | extend Role = trim(@'\"',tostring(ResourceItem.displayName))\n )\n| mv-apply ResourceItem = TargetResources on \n (\n where ResourceItem.type =~ \"User\"\n | extend User = trim(@'\"',tostring(ResourceItem.userPrincipalName))\n )\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| where isnotempty(InitiatedBy.user)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName), InitiatingIpAddress = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingName = tostring(split(InitiatingUser,'@',0)[0]), InitiatingUPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n| extend UserName = tostring(split(User,'@',0)[0]), UserUPNSuffix = tostring(split(User,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6311,33 +6324,46 @@ } ], "tactics": [ - "PrivilegeEscalation" + "Persistence" ], "techniques": [ "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingUPNSuffix" } - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "UserName" + }, + { + "identifier": "UPNSuffix", + "columnName": "UserUPNSuffix" + } + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "InitiatingIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6347,14 +6373,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId44'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 44", + "description": "Microsoft Entra ID Analytics Rule 44", "parentId": "[variables('analyticRuleId44')]", "contentId": "[variables('_analyticRulecontentId44')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion44')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6378,7 +6404,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId44')]", "contentKind": "AnalyticsRule", - "displayName": "Privileged Role Assigned Outside PIM", + "displayName": "PIM Elevation Request Rejected", "contentProductId": "[variables('_analyticRulecontentProductId44')]", "id": "[variables('_analyticRulecontentProductId44')]", "version": "[variables('analyticRuleVersion44')]" @@ -6393,7 +6419,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion45')]", @@ -6407,65 +6433,60 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", - "displayName": "Rare application consent", + "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "displayName": "Privileged Accounts - Sign in Failure Spikes", "enabled": false, - "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n props = TargetResource.modifiedProperties\n )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n", + "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n IdentityInfo\n | where TimeGenerated > ago(starttime)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles contains 'Admin'\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\n | join kind=inner (\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n ) on $left.AccountUPN == $right.UserPrincipalName\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \n allSignins\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n // Filtering low count events per baselinethreshold\n | where anomalies > 0 and baseline > baselinethreshold\n | extend AnomalyHour = TimeGenerated\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", + "queryPeriod": "P14D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", - "triggerThreshold": 3, + "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" + "SigninLogs" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" ] } ], "tactics": [ - "Persistence", - "PrivilegeEscalation" + "InitialAccess" ], "techniques": [ - "T1136", - "T1068" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "CloudApplication", - "fieldMappings": [ - { - "columnName": "TargetResourceName", - "identifier": "Name" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6475,14 +6496,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId45'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 45", + "description": "Microsoft Entra ID Analytics Rule 45", "parentId": "[variables('analyticRuleId45')]", "contentId": "[variables('_analyticRulecontentId45')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion45')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6506,7 +6527,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId45')]", "contentKind": "AnalyticsRule", - "displayName": "Rare application consent", + "displayName": "Privileged Accounts - Sign in Failure Spikes", "contentProductId": "[variables('_analyticRulecontentProductId45')]", "id": "[variables('_analyticRulecontentProductId45')]", "version": "[variables('analyticRuleVersion45')]" @@ -6521,7 +6542,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion46')]", @@ -6535,13 +6556,13 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.", - "displayName": "Password spray attack against Azure AD Seamless SSO", + "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "Privileged Role Assigned Outside PIM", "enabled": false, - "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n UserPrincipalName = make_set(UserPrincipalName,100),\n UserAgent = make_set(UserAgent,100),\n ResultDescription = take_any(ResultDescription),\n ResultSignature = take_any(ResultSignature)\n by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where OperationName has \"Add member to role outside of PIM\"\n or (LoggedByService =~ \"Core Directory\" and OperationName =~ \"Add member to role\" and Identity != \"MS-PIM\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend UserPrincipalName = tostring(TargetResource.userPrincipalName)\n )\n| extend IpAddress = tostring(InitiatedBy.user.ipAddress), Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Low", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -6551,38 +6572,38 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ] } ], "tactics": [ - "CredentialAccess" + "PrivilegeEscalation" ], "techniques": [ - "T1110" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -6592,14 +6613,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId46'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 46", + "description": "Microsoft Entra ID Analytics Rule 46", "parentId": "[variables('analyticRuleId46')]", "contentId": "[variables('_analyticRulecontentId46')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion46')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6623,7 +6644,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId46')]", "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against Azure AD Seamless SSO", + "displayName": "Privileged Role Assigned Outside PIM", "contentProductId": "[variables('_analyticRulecontentProductId46')]", "id": "[variables('_analyticRulecontentProductId46')]", "version": "[variables('analyticRuleVersion46')]" @@ -6638,7 +6659,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion47')]", @@ -6652,51 +6673,65 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ", - "displayName": "GitHub Signin Burst from Multiple Locations", + "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor.\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", + "displayName": "Rare application consent", "enabled": false, - "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "query": "let current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed.\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are\n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName))\n )\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\n isnotempty(tostring(InitiatedBy.user.ipAddress)) and tostring(InitiatedBy.user.ipAddress) != 'null', tostring(InitiatedBy.user.ipAddress),\n isnotempty(tostring(InitiatedBy.app.ipAddress)) and tostring(InitiatedBy.app.ipAddress) != 'null', tostring(InitiatedBy.app.ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(InitiatedBy.user.userPrincipalName)),\n tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"ServicePrincipal\"\n | extend TargetResourceName = tolower(tostring(TargetResource.displayName)),\n props = TargetResource.modifiedProperties\n )\n| parse props with * \"ConsentType: \" ConsentType \"]\" *\n| mv-apply AdditionalDetail = AdditionalDetails on \n (\n where AdditionalDetail.key =~ \"User-Agent\"\n | extend UserAgent = tostring(AdditionalDetail.value)\n )\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy\n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = make_set(Reason,100) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, Name = tolower(tostring(split(InitiatedBy,'@',0)[0])), UPNSuffix = tolower(tostring(split(InitiatedBy,'@',1)[0]))\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", - "triggerThreshold": 0, + "triggerThreshold": 3, "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" + "AuditLogs" ] } ], "tactics": [ - "CredentialAccess" + "Persistence", + "PrivilegeEscalation" ], "techniques": [ - "T1110" + "T1136", + "T1068" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "TargetResourceName" + } + ], + "entityType": "CloudApplication" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IpAddress" + } + ], + "entityType": "IP" } ] } @@ -6706,14 +6741,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId47'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 47", + "description": "Microsoft Entra ID Analytics Rule 47", "parentId": "[variables('analyticRuleId47')]", "contentId": "[variables('_analyticRulecontentId47')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion47')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6737,7 +6772,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId47')]", "contentKind": "AnalyticsRule", - "displayName": "GitHub Signin Burst from Multiple Locations", + "displayName": "Rare application consent", "contentProductId": "[variables('_analyticRulecontentProductId47')]", "id": "[variables('_analyticRulecontentProductId47')]", "version": "[variables('analyticRuleVersion47')]" @@ -6752,7 +6787,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion48')]", @@ -6766,12 +6801,12 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "description": "This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\nMicrosoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.", + "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", "enabled": false, - "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", + "query": "let account_threshold = 5;\nAADNonInteractiveUserSignInLogs\n//| where ResultType == \"81016\"\n| where ResultType startswith \"81\"\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType\n| where DistinctAccounts > account_threshold\n| mv-expand IPAddress = DistinctAddresses\n| extend IPAddress = tostring(IPAddress)\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n UserPrincipalName = make_set(UserPrincipalName,100),\n UserAgent = make_set(UserAgent,100),\n ResultDescription = take_any(ResultDescription),\n ResultSignature = take_any(ResultSignature)\n by IPAddress, Type, ResultType\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\n| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6779,42 +6814,41 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" - ] - }, { "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" - ] } ], "tactics": [ - "InitialAccess", - "Persistence" + "CredentialAccess" ], "techniques": [ - "T1078", - "T1098" + "T1110" ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" } ] } @@ -6824,14 +6858,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId48'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 48", + "description": "Microsoft Entra ID Analytics Rule 48", "parentId": "[variables('analyticRuleId48')]", "contentId": "[variables('_analyticRulecontentId48')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion48')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6855,7 +6889,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId48')]", "contentKind": "AnalyticsRule", - "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "displayName": "Password spray attack against Microsoft Entra ID Seamless SSO", "contentProductId": "[variables('_analyticRulecontentProductId48')]", "id": "[variables('_analyticRulecontentProductId48')]", "version": "[variables('analyticRuleVersion48')]" @@ -6870,7 +6904,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion49')]", @@ -6884,12 +6918,12 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", - "displayName": "Brute force attack against Azure Portal", + "description": "This detection triggers when there is a Signin burst from multiple locations in GitHub (Entra ID SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. ", + "displayName": "GitHub Signin Burst from Multiple Locations", "enabled": false, - "query": "// Set threshold value for deviation\nlet threshold = 25;\n// Set the time range for the query\nlet timeRange = 24h;\n// Set the authentication window duration\nlet authenticationWindow = 20m;\n// Define a reusable function 'aadFunc' that takes a table name as input\nlet aadFunc = (tableName: string) {\n // Query the specified table\n table(tableName)\n // Filter data within the last 24 hours\n | where TimeGenerated > ago(1d)\n // Filter records related to \"Azure Portal\" applications\n | where AppDisplayName has \"Azure Portal\"\n // Extract and transform some fields\n | extend\n DeviceDetail = todynamic(DeviceDetail),\n LocationDetails = todynamic(LocationDetails)\n | extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n // Categorize records as Success or Failure based on ResultType\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n // Sort and identify sessions\n | sort by UserPrincipalName asc, TimeGenerated asc\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n // Summarize data\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n // Filter records where \"Success\" occurs in the middle of a session\n | where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n | where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n // Remove unnecessary columns from the output\n | project-away SessionStartedUtc, list_FailureOrSuccess\n // Join with another table and calculate deviation\n | join kind=inner (\n table(tableName)\n | where TimeGenerated > ago(7d)\n | where AppDisplayName has \"Azure Portal\"\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \"Failure\")) by UserPrincipalName\n ) on UserPrincipalName\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\n // Filter records based on deviation and failure count criteria\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\n // Expand the IPAddress array\n | mv-expand IPAddress\n | extend IPAddress = tostring(IPAddress)\n | extend timestamp = StartTime\n};\n// Call 'aadFunc' with different table names and union the results\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n// Additional transformation: Split UserPrincipalName\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", + "query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -6918,30 +6952,17 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UserId", - "identifier": "AadUserId" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -6951,14 +6972,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId49'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 49", + "description": "Microsoft Entra ID Analytics Rule 49", "parentId": "[variables('analyticRuleId49')]", "contentId": "[variables('_analyticRulecontentId49')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion49')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -6982,7 +7003,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId49')]", "contentKind": "AnalyticsRule", - "displayName": "Brute force attack against Azure Portal", + "displayName": "GitHub Signin Burst from Multiple Locations", "contentProductId": "[variables('_analyticRulecontentProductId49')]", "id": "[variables('_analyticRulecontentProductId49')]", "version": "[variables('analyticRuleVersion49')]" @@ -6997,7 +7018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion50')]", @@ -7011,12 +7032,12 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", - "displayName": "Password spray attack against Azure AD application", + "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts using the IP through which successful signins from other accounts have happened.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", "enabled": false, - "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "query": "let aadFunc = (tableName: string) {\nlet failed_signins = table(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\";\nlet disabled_users = failed_signins | summarize by UserPrincipalName;\ntable(tableName)\n | where ResultType == 0\n | where isnotempty(UserPrincipalName)\n | where UserPrincipalName !in (disabled_users)\n| summarize\n successfulAccountsTargettedCount = dcount(UserPrincipalName),\n successfulAccountSigninSet = make_set(UserPrincipalName, 100),\n successfulApplicationSet = make_set(AppDisplayName, 100)\n by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountsTargettedCount < 50\n | where isnotempty(successfulAccountsTargettedCount)\n | join kind=inner (failed_signins\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n totalDisabledAccountLoginAttempts = count(),\n disabledAccountsTargettedCount = dcount(UserPrincipalName),\n applicationsTargeted = dcount(AppDisplayName),\n disabledAccountSet = make_set(UserPrincipalName, 100),\n disabledApplicationSet = make_set(AppDisplayName, 100)\nby IPAddress, Type\n| order by totalDisabledAccountLoginAttempts desc) on IPAddress\n| project StartTime, EndTime, IPAddress, totalDisabledAccountLoginAttempts, disabledAccountsTargettedCount, disabledAccountSet, disabledApplicationSet, successfulApplicationSet, successfulAccountsTargettedCount, successfulAccountSigninSet, Type\n| order by totalDisabledAccountLoginAttempts};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where EventSource =~ \"Azure AD\"\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress, UserPrincipalName\n | project-rename IPAddress = SourceIPAddress\n | summarize\n Users = make_set(UserPrincipalName, 100),\n UsersInsights = make_set(UsersInsights, 100),\n DevicesInsights = make_set(DevicesInsights, 100),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress\n) on IPAddress\n| extend SFRatio = toreal(toreal(disabledAccountsTargettedCount)/toreal(successfulAccountsTargettedCount))\n| where SFRatio >= 0.5\n| sort by IPInvestigationPriority desc\n", "queryFrequency": "P1D", - "queryPeriod": "P7D", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7035,23 +7056,31 @@ "dataTypes": [ "AADNonInteractiveUserSignInLogs" ] + }, + { + "connectorId": "BehaviorAnalytics", + "dataTypes": [ + "BehaviorAnalytics" + ] } ], "tactics": [ - "CredentialAccess" + "InitialAccess", + "Persistence" ], "techniques": [ - "T1110" + "T1078", + "T1098" ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7061,14 +7090,14 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId50'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 50", + "description": "Microsoft Entra ID Analytics Rule 50", "parentId": "[variables('analyticRuleId50')]", "contentId": "[variables('_analyticRulecontentId50')]", "kind": "AnalyticsRule", "version": "[variables('analyticRuleVersion50')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7092,7 +7121,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_analyticRulecontentId50')]", "contentKind": "AnalyticsRule", - "displayName": "Password spray attack against Azure AD application", + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", "contentProductId": "[variables('_analyticRulecontentProductId50')]", "id": "[variables('_analyticRulecontentProductId50')]", "version": "[variables('analyticRuleVersion50')]" @@ -7107,7 +7136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion51')]", @@ -7120,6 +7149,243 @@ "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.\nRef: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", + "displayName": "Brute force attack against Azure Portal", + "enabled": false, + "query": "// Set threshold value for deviation\nlet threshold = 25;\n// Set the time range for the query\nlet timeRange = 24h;\n// Set the authentication window duration\nlet authenticationWindow = 20m;\n// Define a reusable function 'aadFunc' that takes a table name as input\nlet aadFunc = (tableName: string) {\n // Query the specified table\n table(tableName)\n // Filter data within the last 24 hours\n | where TimeGenerated > ago(1d)\n // Filter records related to \"Azure Portal\" applications\n | where AppDisplayName has \"Azure Portal\"\n // Extract and transform some fields\n | extend\n DeviceDetail = todynamic(DeviceDetail),\n LocationDetails = todynamic(LocationDetails)\n | extend\n OS = tostring(DeviceDetail.operatingSystem),\n Browser = tostring(DeviceDetail.browser),\n State = tostring(LocationDetails.state),\n City = tostring(LocationDetails.city),\n Region = tostring(LocationDetails.countryOrRegion)\n // Categorize records as Success or Failure based on ResultType\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n // Sort and identify sessions\n | sort by UserPrincipalName asc, TimeGenerated asc\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \"Success\")\n // Summarize data\n | summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc\n | summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == \"Failure\"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\n // Filter records where \"Success\" occurs in the middle of a session\n | where array_index_of(list_FailureOrSuccess, \"Success\") != 0\n | where array_index_of(list_FailureOrSuccess, \"Success\") == array_length(list_FailureOrSuccess) - 1\n // Remove unnecessary columns from the output\n | project-away SessionStartedUtc, list_FailureOrSuccess\n // Join with another table and calculate deviation\n | join kind=inner (\n table(tableName)\n | where TimeGenerated > ago(7d)\n | where AppDisplayName has \"Azure Portal\"\n | extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n | summarize avgFailures = avg(todouble(FailureOrSuccess == \"Failure\")) by UserPrincipalName\n ) on UserPrincipalName\n | extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures\n // Filter records based on deviation and failure count criteria\n | where Deviation > threshold and FailureCountBeforeSuccess >= 10\n // Expand the IPAddress array\n | mv-expand IPAddress\n | extend IPAddress = tostring(IPAddress)\n | extend timestamp = StartTime\n};\n// Call 'aadFunc' with different table names and union the results\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n// Additional transformation: Split UserPrincipalName\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "SigninLogs" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ] + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Name" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "AadUserId", + "columnName": "UserId" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 51", + "parentId": "[variables('analyticRuleId51')]", + "contentId": "[variables('_analyticRulecontentId51')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion51')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId51')]", + "contentKind": "AnalyticsRule", + "displayName": "Brute force attack against Azure Portal", + "contentProductId": "[variables('_analyticRulecontentProductId51')]", + "id": "[variables('_analyticRulecontentProductId51')]", + "version": "[variables('analyticRuleVersion51')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName52')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion52')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId52')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", + "displayName": "Password spray attack against Microsoft Entra ID application", + "enabled": false, + "query": "let timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed,20), make_set(FullLocation,20), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup\n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName,20), make_set(UserDisplayName,20), make_set(set_ClientAppUsed,20), make_set(set_FullLocation,20), make_list(FailureCount,20) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = array_length(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in (successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in (successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in (failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in (failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n", + "queryFrequency": "P1D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "SigninLogs" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ] + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]", + "properties": { + "description": "Microsoft Entra ID Analytics Rule 52", + "parentId": "[variables('analyticRuleId52')]", + "contentId": "[variables('_analyticRulecontentId52')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion52')]", + "source": { + "kind": "Solution", + "name": "Microsoft Entra ID", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId52')]", + "contentKind": "AnalyticsRule", + "displayName": "Password spray attack against Microsoft Entra ID application", + "contentProductId": "[variables('_analyticRulecontentProductId52')]", + "id": "[variables('_analyticRulecontentProductId52')]", + "version": "[variables('analyticRuleVersion52')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName53')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.0.7", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion53')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId53')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP (may indicate a malicious attempt at password guessing with known account). UEBA added for context.", "displayName": "Successful logon from IP and failure from a different IP", @@ -7169,35 +7435,35 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SuccessIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "SuccessIPAddress" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "FailedIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "FailedIPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7205,16 +7471,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId51'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 51", - "parentId": "[variables('analyticRuleId51')]", - "contentId": "[variables('_analyticRulecontentId51')]", + "description": "Microsoft Entra ID Analytics Rule 53", + "parentId": "[variables('analyticRuleId53')]", + "contentId": "[variables('_analyticRulecontentId53')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion51')]", + "version": "[variables('analyticRuleVersion53')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7236,39 +7502,39 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId51')]", + "contentId": "[variables('_analyticRulecontentId53')]", "contentKind": "AnalyticsRule", "displayName": "Successful logon from IP and failure from a different IP", - "contentProductId": "[variables('_analyticRulecontentProductId51')]", - "id": "[variables('_analyticRulecontentProductId51')]", - "version": "[variables('analyticRuleVersion51')]" + "contentProductId": "[variables('_analyticRulecontentProductId53')]", + "id": "[variables('_analyticRulecontentProductId53')]", + "version": "[variables('analyticRuleVersion53')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName52')]", + "name": "[variables('analyticRuleTemplateSpecName54')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion52')]", + "contentVersion": "[variables('analyticRuleVersion54')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId52')]", + "name": "[variables('analyticRulecontentId54')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", - "displayName": "Suspicious AAD Joined Device Update", + "description": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf", + "displayName": "Suspicious Entra ID Joined Device Update", "enabled": false, "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n where TargetResource.type =~ \"Device\"\n | extend ModifiedProperties = TargetResource.modifiedProperties\n | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"CloudDisplayName\"\n | extend OldName = Prop.oldValue \n | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"IsCompliant\"\n | extend OldComplianceState = Prop.oldValue \n | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n | extend OldTrustType = Prop.oldValue \n | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n where Prop.displayName =~ \"Included Updated Properties\" \n | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n", "queryFrequency": "P1D", @@ -7295,61 +7561,61 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "columnName": "NewDeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "NewDeviceName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { - "columnName": "OldDeviceName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "OldDeviceName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceId", - "identifier": "AzureID" + "identifier": "AzureID", + "columnName": "DeviceId" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByUser", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "InitiatedByUser" } - ] + ], + "entityType": "Account" } ], "alertDetailsOverride": { "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed", - "alertDescriptionFormat": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId52'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 52", - "parentId": "[variables('analyticRuleId52')]", - "contentId": "[variables('_analyticRulecontentId52')]", + "description": "Microsoft Entra ID Analytics Rule 54", + "parentId": "[variables('analyticRuleId54')]", + "contentId": "[variables('_analyticRulecontentId54')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion52')]", + "version": "[variables('analyticRuleVersion54')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7371,33 +7637,33 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId52')]", + "contentId": "[variables('_analyticRulecontentId54')]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious AAD Joined Device Update", - "contentProductId": "[variables('_analyticRulecontentProductId52')]", - "id": "[variables('_analyticRulecontentProductId52')]", - "version": "[variables('analyticRuleVersion52')]" + "displayName": "Suspicious Entra ID Joined Device Update", + "contentProductId": "[variables('_analyticRulecontentProductId54')]", + "id": "[variables('_analyticRulecontentProductId54')]", + "version": "[variables('analyticRuleVersion54')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName53')]", + "name": "[variables('analyticRuleTemplateSpecName55')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion53')]", + "contentVersion": "[variables('analyticRuleVersion55')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId53')]", + "name": "[variables('analyticRulecontentId55')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7430,26 +7696,26 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "GrantIpAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "GrantIpAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7457,16 +7723,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId53'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 53", - "parentId": "[variables('analyticRuleId53')]", - "contentId": "[variables('_analyticRulecontentId53')]", + "description": "Microsoft Entra ID Analytics Rule 55", + "parentId": "[variables('analyticRuleId55')]", + "contentId": "[variables('_analyticRulecontentId55')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion53')]", + "version": "[variables('analyticRuleVersion55')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7488,33 +7754,33 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId53')]", + "contentId": "[variables('_analyticRulecontentId55')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious application consent for offline access", - "contentProductId": "[variables('_analyticRulecontentProductId53')]", - "id": "[variables('_analyticRulecontentProductId53')]", - "version": "[variables('analyticRuleVersion53')]" + "contentProductId": "[variables('_analyticRulecontentProductId55')]", + "id": "[variables('_analyticRulecontentProductId55')]", + "version": "[variables('analyticRuleVersion55')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName54')]", + "name": "[variables('analyticRuleTemplateSpecName56')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion54')]", + "contentVersion": "[variables('analyticRuleVersion56')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId54')]", + "name": "[variables('analyticRulecontentId56')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -7551,40 +7817,40 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "userPrincipalName_creator", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName_creator" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "userPrincipalName_deleter", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "userPrincipalName_deleter" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "ipAddress_creator", - "identifier": "Address" + "identifier": "Address", + "columnName": "ipAddress_creator" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "ipAddress_deleter", - "identifier": "Address" + "identifier": "Address", + "columnName": "ipAddress_deleter" } - ] + ], + "entityType": "IP" } ] } @@ -7592,16 +7858,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId54'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 54", - "parentId": "[variables('analyticRuleId54')]", - "contentId": "[variables('_analyticRulecontentId54')]", + "description": "Microsoft Entra ID Analytics Rule 56", + "parentId": "[variables('analyticRuleId56')]", + "contentId": "[variables('_analyticRulecontentId56')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion54')]", + "version": "[variables('analyticRuleVersion56')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7623,42 +7889,42 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId54')]", + "contentId": "[variables('_analyticRulecontentId56')]", "contentKind": "AnalyticsRule", "displayName": "Suspicious Service Principal creation activity", - "contentProductId": "[variables('_analyticRulecontentProductId54')]", - "id": "[variables('_analyticRulecontentProductId54')]", - "version": "[variables('analyticRuleVersion54')]" + "contentProductId": "[variables('_analyticRulecontentProductId56')]", + "id": "[variables('_analyticRulecontentProductId56')]", + "version": "[variables('analyticRuleVersion56')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName55')]", + "name": "[variables('analyticRuleTemplateSpecName57')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion55')]", + "contentVersion": "[variables('analyticRuleVersion57')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId55')]", + "name": "[variables('analyticRulecontentId57')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", - "displayName": "External guest invitation followed by Azure AD PowerShell signin", + "description": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.", + "displayName": "Suspicious Sign In Followed by MFA Modification", "enabled": false, - "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", - "queryFrequency": "PT1H", + "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetSuffix = tostring(split(TargetUPN, \"@\")[1])\n", + "queryFrequency": "P1D", "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", @@ -7674,74 +7940,96 @@ ] }, { - "connectorId": "AzureActiveDirectory", + "connectorId": "BehaviorAnalytics", "dataTypes": [ - "SigninLogs" + "BehaviorAnalytics" ] } ], "tactics": [ "InitialAccess", - "Persistence", - "Discovery" + "DefenseEvasion" ], "techniques": [ "T1078", - "T1136", - "T1087" + "T1556" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InvitedUserName", - "identifier": "Name" + "identifier": "AadUserId", + "columnName": "InitiatorID" + }, + { + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "InvitedUserUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatorSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatedByName", - "identifier": "Name" + "identifier": "AadUserId", + "columnName": "TargetId" + }, + { + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "InitiatedByUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "FromIP" } - ] + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIPAddress" + } + ], + "entityType": "IP" } - ] + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId55'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 55", - "parentId": "[variables('analyticRuleId55')]", - "contentId": "[variables('_analyticRulecontentId55')]", + "description": "Microsoft Entra ID Analytics Rule 57", + "parentId": "[variables('analyticRuleId57')]", + "contentId": "[variables('_analyticRulecontentId57')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion55')]", + "version": "[variables('analyticRuleVersion57')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7763,43 +8051,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId55')]", + "contentId": "[variables('_analyticRulecontentId57')]", "contentKind": "AnalyticsRule", - "displayName": "External guest invitation followed by Azure AD PowerShell signin", - "contentProductId": "[variables('_analyticRulecontentProductId55')]", - "id": "[variables('_analyticRulecontentProductId55')]", - "version": "[variables('analyticRuleVersion55')]" + "displayName": "Suspicious Sign In Followed by MFA Modification", + "contentProductId": "[variables('_analyticRulecontentProductId57')]", + "id": "[variables('_analyticRulecontentProductId57')]", + "version": "[variables('analyticRuleVersion57')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName56')]", + "name": "[variables('analyticRuleTemplateSpecName58')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion56')]", + "contentVersion": "[variables('analyticRuleVersion58')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId56')]", + "name": "[variables('analyticRulecontentId58')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", - "displayName": "User Accounts - Sign in Failure due to CA Spikes", + "description": "By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guests\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/", + "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", "enabled": false, - "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", + "query": "let queryfrequency = 1h;\nlet queryperiod = 1d;\nAuditLogs\n| where TimeGenerated > ago(queryperiod)\n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\", \"Invite external user with reset invitation status\")\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"live.com#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUser = tostring(TargetResource.userPrincipalName)\n )\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\n| where UserToCompare has_any (\"live.com#\", \"#EXT#\")\n| extend\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \"live.com#\", tostring(split(UserToCompare, \"#\")[1]), tostring(split(UserToCompare, \"#EXT#\")[0]))), \"@\", \"_\"),\n InvitationTime = TimeGenerated\n| join (\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\n | where TimeGenerated > ago(queryfrequency)\n | where UserType != \"Member\"\n | where AppId has_any // This web may contain a list of these apps: https://msshells.net/\n (\"1b730954-1685-4b74-9bfd-dac224a7b894\",// Azure Active Directory PowerShell\n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\",// Microsoft Azure CLI\n \"1950a258-227b-4e31-a9cf-717495945fc2\",// Microsoft Azure PowerShell\n \"a0c73c16-a7e3-4564-9a95-2bdf47383716\",// Microsoft Exchange Online Remote PowerShell\n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\",// Microsoft Exchange REST API Based Powershell\n \"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\",// Microsoft Intune PowerShell\n \"9bc3ab49-b65d-410a-85ad-de819febfddc\",// Microsoft SharePoint Online Management Shell\n \"12128f48-ec9e-42f0-b203-ea49fb6af367\",// MS Teams Powershell Cmdlets\n \"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\",// Power BI PowerShell\n \"31359c7f-bd7e-475c-86db-fdb8c937548e\",// PnP Management Shell\n \"90f610bf-206d-4950-b61d-37fa6fd1b224\",// Aadrm Admin Powershell\n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" // Microsoft Graph PowerShell\n )\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\n | extend\n parsedUser = replace_string(UserPrincipalName, \"@\", \"_\"),\n SigninTime = TimeGenerated\n )\n on parsedUser\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\n| extend InvitedUserName = tostring(split(InvitedUser,'@',0)[0]), InvitedUserUPNSuffix = tostring(split(InvitedUser,'@',1)[0]), \n InitiatedByName = tostring(split(InitiatedBy,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatedBy,'@',1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7810,56 +8098,61 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "SigninLogs" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AADNonInteractiveUserSignInLogs" - ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" + "AuditLogs" ] }, { - "connectorId": "IdentityInfo", + "connectorId": "AzureActiveDirectory", "dataTypes": [ - "IdentityInfo" + "SigninLogs" ] } ], "tactics": [ - "InitialAccess" + "InitialAccess", + "Persistence", + "Discovery" ], "techniques": [ - "T1078" + "T1078", + "T1136", + "T1087" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "InvitedUserName" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InvitedUserUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Name", + "columnName": "InitiatedByName" + }, + { + "identifier": "UPNSuffix", + "columnName": "InitiatedByUPNSuffix" } - ] + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPAddress" + } + ], + "entityType": "IP" } ] } @@ -7867,16 +8160,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId56'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 56", - "parentId": "[variables('analyticRuleId56')]", - "contentId": "[variables('_analyticRulecontentId56')]", + "description": "Microsoft Entra ID Analytics Rule 58", + "parentId": "[variables('analyticRuleId58')]", + "contentId": "[variables('_analyticRulecontentId58')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion56')]", + "version": "[variables('analyticRuleVersion58')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -7898,43 +8191,43 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId56')]", + "contentId": "[variables('_analyticRulecontentId58')]", "contentKind": "AnalyticsRule", - "displayName": "User Accounts - Sign in Failure due to CA Spikes", - "contentProductId": "[variables('_analyticRulecontentProductId56')]", - "id": "[variables('_analyticRulecontentProductId56')]", - "version": "[variables('analyticRuleVersion56')]" + "displayName": "External guest invitation followed by Microsoft Entra ID PowerShell signin", + "contentProductId": "[variables('_analyticRulecontentProductId58')]", + "id": "[variables('_analyticRulecontentProductId58')]", + "version": "[variables('analyticRuleVersion58')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName57')]", + "name": "[variables('analyticRuleTemplateSpecName59')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion57')]", + "contentVersion": "[variables('analyticRuleVersion59')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId57')]", + "name": "[variables('analyticRulecontentId59')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", - "displayName": "User added to Azure Active Directory Privileged Groups", + "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nThis query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.", + "displayName": "User Accounts - Sign in Failure due to CA Spikes", "enabled": false, - "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", + "query": "let riskScoreCutoff = 20; //Adjust this based on volume of results\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 50;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\nlet TimeSeriesAlerts = \nallSignins\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, 'linefit')\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n// Filtering low count events per baselinethreshold\n| where anomalies > 0 and baseline > baselinethreshold\n| extend AnomalyHour = TimeGenerated\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > startofday(ago(timeframe))\n| join kind=inner ( \n allSignins\n | where TimeGenerated > startofday(ago(timeframe))\n // create a new column and round to hour\n | extend DateHour = bin(TimeGenerated, 1h)\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| join kind=leftouter (\n IdentityInfo\n | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN\n | extend BlastRadiusInt = iif(BlastRadius == \"High\", 1, 0)\n | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt\n | summarize\n Tags = make_set(Tags, 1000),\n GroupMembership = make_set(GroupMembership, 1000),\n AssignedRoles = make_set(AssignedRoles, 1000),\n BlastRadiusInt = sum(BlastRadiusInt),\n UserType = make_set(UserType, 1000),\n UserAccountControl = make_set(UserType, 1000)\n by AccountUPN\n | extend UserPrincipalName=tolower(AccountUPN)\n) on UserPrincipalName\n| join kind=leftouter (\n BehaviorAnalytics\n | where ActivityType in (\"FailedLogOn\", \"LogOn\")\n | where isnotempty(SourceIPAddress)\n | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress\n | project-rename IPAddress = SourceIPAddress\n | summarize\n UsersInsights = make_set(UsersInsights, 1000),\n DevicesInsights = make_set(DevicesInsights, 1000),\n IPInvestigationPriority = sum(InvestigationPriority)\n by IPAddress)\non IPAddress\n| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority\n| where UEBARiskScore > riskScoreCutoff\n| sort by UEBARiskScore desc \n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, @@ -7945,44 +8238,56 @@ { "connectorId": "AzureActiveDirectory", "dataTypes": [ - "AuditLogs" + "SigninLogs" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AADNonInteractiveUserSignInLogs" + ] + }, + { + "connectorId": "BehaviorAnalytics", + "dataTypes": [ + "BehaviorAnalytics" + ] + }, + { + "connectorId": "IdentityInfo", + "dataTypes": [ + "IdentityInfo" ] } ], "tactics": [ - "Persistence", - "PrivilegeEscalation" + "InitialAccess" ], "techniques": [ - "T1098", "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" - }, - { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "Address", + "columnName": "IPAddress" } - ] + ], + "entityType": "IP" } ] } @@ -7990,16 +8295,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId57'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 57", - "parentId": "[variables('analyticRuleId57')]", - "contentId": "[variables('_analyticRulecontentId57')]", + "description": "Microsoft Entra ID Analytics Rule 59", + "parentId": "[variables('analyticRuleId59')]", + "contentId": "[variables('_analyticRulecontentId59')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion57')]", + "version": "[variables('analyticRuleVersion59')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8021,44 +8326,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId57')]", + "contentId": "[variables('_analyticRulecontentId59')]", "contentKind": "AnalyticsRule", - "displayName": "User added to Azure Active Directory Privileged Groups", - "contentProductId": "[variables('_analyticRulecontentProductId57')]", - "id": "[variables('_analyticRulecontentProductId57')]", - "version": "[variables('analyticRuleVersion57')]" + "displayName": "User Accounts - Sign in Failure due to CA Spikes", + "contentProductId": "[variables('_analyticRulecontentProductId59')]", + "id": "[variables('_analyticRulecontentProductId59')]", + "version": "[variables('analyticRuleVersion59')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName58')]", + "name": "[variables('analyticRuleTemplateSpecName60')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion58')]", + "contentVersion": "[variables('analyticRuleVersion60')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId58')]", + "name": "[variables('analyticRulecontentId60')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.", - "displayName": "New User Assigned to Privileged Role", + "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Microsoft Entra ID please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles", + "displayName": "User added to Microsoft Entra ID Privileged Groups", "enabled": false, - "query": "// Define the start and end times based on input values\nlet starttime = now()-1d;\nlet endtime = now();\n// Set a lookback period of 14 days\nlet lookback = starttime - 14d;\n// Define a reusable function to query audit logs\nlet awsFunc = (start:datetime, end:datetime) {\n AuditLogs\n | where TimeGenerated between (start..end)\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n | mv-apply Property = props on\n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"', tostring(Property.newValue))\n )\n | where RoleName contains \"Admin\" and Result == \"success\"\n};\n// Query for audit events in the current day\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\n// Query for audit events in the historical period (lookback)\nlet EventInfo_historical = awsFunc(lookback, starttime);\n// Find unseen events by performing a left anti-join\nlet EventInfo_Unseen = (EventInfo_CurrentDay\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\n);\n// Extend and clean up the results\nEventInfo_Unseen\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// You can uncomment the lines below to filter out PIM activations\n// | where Initiator != \"MS-PIM\"\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\n// Project specific columns and split them for further analysis\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target, '@', 0)[0]),\n TargetUPNSuffix = tostring(split(Target, '@', 1)[0]),\n InitiatorName = tostring(split(Initiator, '@', 0)[0]),\n InitiatorUPNSuffix = tostring(split(Initiator, '@', 1)[0])\n", + "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),\n modProps = TargetResource.modifiedProperties\n )\n| mv-apply Property = modProps on \n (\n where Property.displayName =~ \"Role.WellKnownObjectName\"\n | extend DisplayName = trim('\"',tostring(Property.displayName)),\n GroupName = trim('\"',tostring(Property.newValue))\n )\n| extend AppId = InitiatedBy.app.appId,\n InitiatedByDisplayName = case(isnotempty(InitiatedBy.app.displayName), InitiatedBy.app.displayName, isnotempty(InitiatedBy.user.displayName), InitiatedBy.user.displayName, \"not available\"),\n ServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),\n ServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName),\n UserId = InitiatedBy.user.id,\n UserIPAddress = InitiatedBy.user.ipAddress,\n UserRoles = InitiatedBy.user.roles,\n UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, \n isnotempty(UserPrincipalName), UserPrincipalName, \n \"\")\n| extend AccountName = tostring(split(AccountCustomEntity,'@',0)[0]), AccountUPNSuffix = tostring(split(AccountCustomEntity,'@',1)[0])\n| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])\n", "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", + "queryPeriod": "PT1H", + "severity": "Medium", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -8073,37 +8378,39 @@ } ], "tactics": [ - "Persistence" + "Persistence", + "PrivilegeEscalation" ], "techniques": [ + "T1098", "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "TargetUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "InitiatorUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -8111,16 +8418,16 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId58'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId60'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 58", - "parentId": "[variables('analyticRuleId58')]", - "contentId": "[variables('_analyticRulecontentId58')]", + "description": "Microsoft Entra ID Analytics Rule 60", + "parentId": "[variables('analyticRuleId60')]", + "contentId": "[variables('_analyticRulecontentId60')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion58')]", + "version": "[variables('analyticRuleVersion60')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8142,44 +8449,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId58')]", + "contentId": "[variables('_analyticRulecontentId60')]", "contentKind": "AnalyticsRule", - "displayName": "New User Assigned to Privileged Role", - "contentProductId": "[variables('_analyticRulecontentProductId58')]", - "id": "[variables('_analyticRulecontentProductId58')]", - "version": "[variables('analyticRuleVersion58')]" + "displayName": "User added to Microsoft Entra ID Privileged Groups", + "contentProductId": "[variables('_analyticRulecontentProductId60')]", + "id": "[variables('_analyticRulecontentProductId60')]", + "version": "[variables('analyticRuleVersion60')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName59')]", + "name": "[variables('analyticRuleTemplateSpecName61')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion59')]", + "contentVersion": "[variables('analyticRuleVersion61')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId59')]", + "name": "[variables('analyticRulecontentId61')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This detection looks for new onmicrosoft domains being added to a tenant. \nAn attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns.\nDomain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.", - "displayName": "New onmicrosoft domain added to tenant", + "description": "Identifies when a new eligible or active privileged role is assigned to a user. Does not alert on PIM activations. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1", + "displayName": "User Assigned New Privileged Role", "enabled": false, - "query": "AuditLogs\n| where AADOperationType == \"Add\"\n| where Result == \"success\"\n| where OperationName in (\"Add verified domain\", \"Add unverified domain\")\n| extend InitiatedBy = parse_json(InitiatedBy)\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingIp = tostring(InitiatedBy.user.ipAddress)\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend InitiatingSPID = tostring(InitiatedBy.app.servicePrincipalId)\n| extend DomainAdded = tostring(TargetResources[0].displayName)\n| where DomainAdded has \"onmicrosoft\"\n| extend ActionInitiatedBy = case(isnotempty(InitiatingUser), InitiatingUser, strcat(InitiatingApp, \" - \", InitiatingSPID))\n| extend UserName = split(InitiatingUser, \"@\")[0]\n| extend UPNSuffix = split(InitiatingUser, \"@\")[1]\n| project-reorder TimeGenerated, OperationName, DomainAdded, ActionInitiatedBy, InitiatingIp\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", + "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\", \"CreateRequestGrantedRole\", \"CreateRequestPermanentEligibleRole\", \"CreateRequestPermanentGrantedRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-apply TargetResourceSubject = TargetResources on \n (\n where TargetResourceSubject.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResourceSubject.type =~ \"ServicePrincipal\", tostring(TargetResourceSubject.displayName), tostring(TargetResourceSubject.userPrincipalName)),\n subjectProps = TargetResourceSubject.modifiedProperties\n )\n| mv-apply TargetResourceRole = TargetResources on \n (\n // mimic modifiedProperties so we can use the same logic to get the role name regardless of where it comes from\n where TargetResourceRole.type in~ (\"Role\")\n | extend roleProps = pack_array(bag_pack(\"displayName\",\"Role.DisplayName\", \"newValue\", TargetResourceRole.displayName))\n )\n| mv-apply Property = iff(array_length(subjectProps) > 0, subjectProps, roleProps) on \n ( \n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"',tostring(Property.newValue))\n )\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// Comment below to alert for PIM activations\n| where Initiator != \"MS-PIM\"\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0])\n", + "queryFrequency": "PT2H", + "queryPeriod": "PT2H", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -8194,70 +8501,54 @@ } ], "tactics": [ - "ResourceDevelopment" + "Persistence" ], "techniques": [ - "T1585" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "UserName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "InitiatingSPID", - "identifier": "AadUserId" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "InitiatingIp", - "identifier": "Address" - } - ] - }, - { - "entityType": "DNS", - "fieldMappings": [ + "identifier": "Name", + "columnName": "InitiatorName" + }, { - "columnName": "DomainAdded", - "identifier": "DomainName" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ] + ], + "entityType": "Account" } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}", - "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose." - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId59'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId61'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 59", - "parentId": "[variables('analyticRuleId59')]", - "contentId": "[variables('_analyticRulecontentId59')]", + "description": "Microsoft Entra ID Analytics Rule 61", + "parentId": "[variables('analyticRuleId61')]", + "contentId": "[variables('_analyticRulecontentId61')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion59')]", + "version": "[variables('analyticRuleVersion61')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8279,44 +8570,44 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId59')]", + "contentId": "[variables('_analyticRulecontentId61')]", "contentKind": "AnalyticsRule", - "displayName": "New onmicrosoft domain added to tenant", - "contentProductId": "[variables('_analyticRulecontentProductId59')]", - "id": "[variables('_analyticRulecontentProductId59')]", - "version": "[variables('analyticRuleVersion59')]" + "displayName": "User Assigned New Privileged Role", + "contentProductId": "[variables('_analyticRulecontentProductId61')]", + "id": "[variables('_analyticRulecontentProductId61')]", + "version": "[variables('analyticRuleVersion61')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName60')]", + "name": "[variables('analyticRuleTemplateSpecName62')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion60')]", + "contentVersion": "[variables('analyticRuleVersion62')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId60')]", + "name": "[variables('analyticRulecontentId62')]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.", - "displayName": "Suspicious Sign In Followed by MFA Modification", + "description": "Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.", + "displayName": "New User Assigned to Privileged Role", "enabled": false, - "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetSuffix = tostring(split(TargetUPN, \"@\")[1])\n", - "queryFrequency": "P1D", - "queryPeriod": "P1D", - "severity": "Medium", + "query": "// Define the start and end times based on input values\nlet starttime = now()-1d;\nlet endtime = now();\n// Set a lookback period of 14 days\nlet lookback = starttime - 14d;\n// Define a reusable function to query audit logs\nlet awsFunc = (start:datetime, end:datetime) {\n AuditLogs\n | where TimeGenerated between (start..end)\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-apply TargetResource = TargetResources on\n (\n where TargetResource.type in~ (\"User\", \"ServicePrincipal\")\n | extend Target = iff(TargetResource.type =~ \"ServicePrincipal\", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),\n props = TargetResource.modifiedProperties\n )\n | mv-apply Property = props on\n (\n where Property.displayName =~ \"Role.DisplayName\"\n | extend RoleName = trim('\"', tostring(Property.newValue))\n )\n | where RoleName contains \"Admin\" and Result == \"success\"\n};\n// Query for audit events in the current day\nlet EventInfo_CurrentDay = awsFunc(starttime, endtime);\n// Query for audit events in the historical period (lookback)\nlet EventInfo_historical = awsFunc(lookback, starttime);\n// Find unseen events by performing a left anti-join\nlet EventInfo_Unseen = (EventInfo_CurrentDay\n | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName\n);\n// Extend and clean up the results\nEventInfo_Unseen\n| extend InitiatingApp = tostring(InitiatedBy.app.displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName))\n// You can uncomment the lines below to filter out PIM activations\n// | where Initiator != \"MS-PIM\"\n// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result\n// Project specific columns and split them for further analysis\n| project TimeGenerated, OperationName, RoleName, Target, Initiator, Result\n| extend TargetName = tostring(split(Target, '@', 0)[0]),\n TargetUPNSuffix = tostring(split(Target, '@', 1)[0]),\n InitiatorName = tostring(split(Initiator, '@', 0)[0]),\n InitiatorUPNSuffix = tostring(split(Initiator, '@', 1)[0])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", "suppressionDuration": "PT1H", "suppressionEnabled": false, "triggerOperator": "GreaterThan", @@ -8328,98 +8619,57 @@ "dataTypes": [ "AuditLogs" ] - }, - { - "connectorId": "BehaviorAnalytics", - "dataTypes": [ - "BehaviorAnalytics" - ] } ], "tactics": [ - "InitialAccess", - "DefenseEvasion" + "Persistence" ], "techniques": [ - "T1078", - "T1556" + "T1078" ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatorID", - "identifier": "AadUserId" - }, - { - "columnName": "InitiatorName", - "identifier": "Name" + "identifier": "Name", + "columnName": "TargetName" }, { - "columnName": "InitiatorSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "TargetUPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "columnName": "TargetId", - "identifier": "AadUserId" + "identifier": "Name", + "columnName": "InitiatorName" }, { - "columnName": "TargetName", - "identifier": "Name" - }, - { - "columnName": "TargetSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "FromIP", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "InitiatorUPNSuffix" } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "SourceIPAddress", - "identifier": "Address" - } - ] + ], + "entityType": "Account" } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" - } + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId60'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId62'),'/'))))]", "properties": { - "description": "Azure Active Directory Analytics Rule 60", - "parentId": "[variables('analyticRuleId60')]", - "contentId": "[variables('_analyticRulecontentId60')]", + "description": "Microsoft Entra ID Analytics Rule 62", + "parentId": "[variables('analyticRuleId62')]", + "contentId": "[variables('_analyticRulecontentId62')]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion60')]", + "version": "[variables('analyticRuleVersion62')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8441,12 +8691,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId60')]", + "contentId": "[variables('_analyticRulecontentId62')]", "contentKind": "AnalyticsRule", - "displayName": "Suspicious Sign In Followed by MFA Modification", - "contentProductId": "[variables('_analyticRulecontentProductId60')]", - "id": "[variables('_analyticRulecontentProductId60')]", - "version": "[variables('analyticRuleVersion60')]" + "displayName": "New User Assigned to Privileged Role", + "contentProductId": "[variables('_analyticRulecontentProductId62')]", + "id": "[variables('_analyticRulecontentProductId62')]", + "version": "[variables('analyticRuleVersion62')]" } }, { @@ -8458,13 +8708,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Alert Playbook with template version 3.0.6", + "description": "Block-Entra ID User-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Alert", + "defaultValue": "Block-Entra ID User-Alert", "type": "string" } }, @@ -8834,7 +9084,7 @@ "version": "[variables('playbookVersion1')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -8851,15 +9101,15 @@ } ], "metadata": { - "title": "Block AAD user - Alert", - "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "title": "Block Microsoft Entra ID user - Alert", + "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Azure AD and Office 365 Outlook Logic App connections." + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00Z", "entities": [ @@ -8886,7 +9136,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId1')]", "contentKind": "Playbook", - "displayName": "Block-AADUser-Alert", + "displayName": "Block-Entra ID User-Alert", "contentProductId": "[variables('_playbookcontentProductId1')]", "id": "[variables('_playbookcontentProductId1')]", "version": "[variables('playbookVersion1')]" @@ -8901,13 +9151,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-Incident Playbook with template version 3.0.6", + "description": "Block-Entra ID User-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Incident", + "defaultValue": "Block-Entra ID User-Incident", "type": "string" } }, @@ -9260,7 +9510,7 @@ "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -9277,15 +9527,15 @@ } ], "metadata": { - "title": "Block AAD user - Incident", - "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "title": "Block Entra ID user - Incident", + "description": "For each account entity included in the incident, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Azure AD and Office 365 Outlook Logic App connections." + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00Z", "entities": [ @@ -9312,7 +9562,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId2')]", "contentKind": "Playbook", - "displayName": "Block-AADUser-Incident", + "displayName": "Block-Entra ID User-Incident", "contentProductId": "[variables('_playbookcontentProductId2')]", "id": "[variables('_playbookcontentProductId2')]", "version": "[variables('playbookVersion2')]" @@ -9327,7 +9577,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Alert Playbook with template version 3.0.6", + "description": "Prompt-User-Alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -9697,7 +9947,7 @@ "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -9721,7 +9971,7 @@ ], "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." + "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00Z", "entities": [ @@ -9763,7 +10013,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Incident Playbook with template version 3.0.6", + "description": "Prompt-User-Incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -10116,7 +10366,7 @@ "version": "[variables('playbookVersion4')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -10140,7 +10390,7 @@ ], "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", - "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." + "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00Z", "entities": [ @@ -10182,13 +10432,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-AlertTrigger Playbook with template version 3.0.6", + "description": "Reset-Entra ID Password-AlertTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-AlertTrigger", + "defaultValue": "Reset-Entra ID Password-AlertTrigger", "type": "string" } }, @@ -10515,7 +10765,7 @@ "version": "[variables('playbookVersion5')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -10532,7 +10782,7 @@ } ], "metadata": { - "title": "Reset Azure AD User Password - Alert Trigger", + "title": "Reset Microsoft Entra ID User Password - Alert Trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "prerequisites": [ "None" @@ -10567,7 +10817,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId5')]", "contentKind": "Playbook", - "displayName": "Reset-AADPassword-AlertTrigger", + "displayName": "Reset-Entra ID Password-AlertTrigger", "contentProductId": "[variables('_playbookcontentProductId5')]", "id": "[variables('_playbookcontentProductId5')]", "version": "[variables('playbookVersion5')]" @@ -10582,13 +10832,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADPassword-IncidentTrigger Playbook with template version 3.0.6", + "description": "Reset-Entra ID Password-IncidentTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-IncidentTrigger", + "defaultValue": "Reset-Entra ID Password-IncidentTrigger", "type": "string" } }, @@ -10898,7 +11148,7 @@ "version": "[variables('playbookVersion6')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -10915,7 +11165,7 @@ } ], "metadata": { - "title": "Reset Azure AD User Password - Incident Trigger", + "title": "Reset Microsoft Entra ID User Password - Incident Trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "prerequisites": [ "None" @@ -10950,7 +11200,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId6')]", "contentKind": "Playbook", - "displayName": "Reset-AADPassword-IncidentTrigger", + "displayName": "Reset-Entra ID Password-IncidentTrigger", "contentProductId": "[variables('_playbookcontentProductId6')]", "id": "[variables('_playbookcontentProductId6')]", "version": "[variables('playbookVersion6')]" @@ -10965,13 +11215,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-AADUser-EntityTrigger Playbook with template version 3.0.6", + "description": "Block-Entra ID User-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-EntityTrigger", + "defaultValue": "Block-Entra ID User-EntityTrigger", "type": "string" } }, @@ -11362,7 +11612,7 @@ "version": "[variables('playbookVersion7')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -11379,12 +11629,12 @@ } ], "metadata": { - "title": "Block AAD user - Entity trigger", - "description": "This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", + "title": "Block Microsoft Entra ID user - Entity trigger", + "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", - "3. Authorize Azure AD and Office 365 Outlook Logic App connections." + "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-12-08T00:00:00Z", "entities": [ @@ -11411,7 +11661,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId7')]", "contentKind": "Playbook", - "displayName": "Block-AADUser-EntityTrigger", + "displayName": "Block-Entra ID User-EntityTrigger", "contentProductId": "[variables('_playbookcontentProductId7')]", "id": "[variables('_playbookcontentProductId7')]", "version": "[variables('playbookVersion7')]" @@ -11426,13 +11676,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-AADUserPassword-EntityTrigger Playbook with template version 3.0.6", + "description": "Reset-Entra ID UserPassword-EntityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADUserPassword-EntityTrigger", + "defaultValue": "Reset-Entra ID UserPassword-EntityTrigger", "type": "string" } }, @@ -11769,7 +12019,7 @@ "version": "[variables('playbookVersion8')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -11786,7 +12036,7 @@ } ], "metadata": { - "title": "Reset Azure AD User Password - Entity trigger", + "title": "Reset Microsoft Entra ID User Password - Entity trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "postDeployment": [ "1. Assign Password Administrator permission to managed identity.", @@ -11816,7 +12066,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId8')]", "contentKind": "Playbook", - "displayName": "Reset-AADUserPassword-EntityTrigger", + "displayName": "Reset-Entra ID UserPassword-EntityTrigger", "contentProductId": "[variables('_playbookcontentProductId8')]", "id": "[variables('_playbookcontentProductId8')]", "version": "[variables('playbookVersion8')]" @@ -11831,13 +12081,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-alert Playbook with template version 3.0.6", + "description": "Revoke-Entra ID SignInSessions-alert Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-alert", + "defaultValue": "Revoke-Entra ID SignInSessions-alert", "type": "string" }, "UserName": { @@ -12097,7 +12347,7 @@ "version": "[variables('playbookVersion9')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12114,11 +12364,11 @@ } ], "metadata": { - "title": "Revoke-AADSignInSessions alert trigger", + "title": "Revoke-Entra ID SignInSessions alert trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": [ "1. You must create an app registration for graph api with appropriate permissions.", - "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD." + "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID." ], "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", "lastUpdateTime": "2021-07-14T00:00:00Z", @@ -12144,7 +12394,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId9')]", "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-alert", + "displayName": "Revoke-Entra ID SignInSessions-alert", "contentProductId": "[variables('_playbookcontentProductId9')]", "id": "[variables('_playbookcontentProductId9')]", "version": "[variables('playbookVersion9')]" @@ -12159,13 +12409,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignInSessions-incident Playbook with template version 3.0.6", + "description": "Revoke-Entra ID SignInSessions-incident Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-incident", + "defaultValue": "Revoke-Entra ID SignInSessions-incident", "type": "string" }, "UserName": { @@ -12425,7 +12675,7 @@ "version": "[variables('playbookVersion10')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12442,7 +12692,7 @@ } ], "metadata": { - "title": "Revoke AAD SignIn Sessions - incident trigger", + "title": "Revoke Entra ID SignIn Sessions - incident trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", "lastUpdateTime": "2021-07-14T00:00:00Z", @@ -12468,7 +12718,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId10')]", "contentKind": "Playbook", - "displayName": "Revoke-AADSignInSessions-incident", + "displayName": "Revoke-Entra ID SignInSessions-incident", "contentProductId": "[variables('_playbookcontentProductId10')]", "id": "[variables('_playbookcontentProductId10')]", "version": "[variables('playbookVersion10')]" @@ -12483,13 +12733,13 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-AADSignIn-Session-entityTrigger Playbook with template version 3.0.6", + "description": "Revoke-Entra ID SignIn-Session-entityTrigger Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignIn-Session-entityTrigger", + "defaultValue": "Revoke-Entra ID SignIn-Session-entityTrigger", "type": "string" } }, @@ -12640,7 +12890,7 @@ "version": "[variables('playbookVersion11')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -12657,7 +12907,7 @@ } ], "metadata": { - "title": "Revoke AAD Sign-in session using entity trigger", + "title": "Revoke Entra ID Sign-in session using entity trigger", "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", "postDeployment": [ "1. Add Microsoft Sentinel Responder role to the managed identity.", @@ -12683,7 +12933,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId11')]", "contentKind": "Playbook", - "displayName": "Revoke-AADSignIn-Session-entityTrigger", + "displayName": "Revoke-Entra ID SignIn-Session-entityTrigger", "contentProductId": "[variables('_playbookcontentProductId11')]", "id": "[variables('_playbookcontentProductId11')]", "version": "[variables('playbookVersion11')]" @@ -12694,21 +12944,21 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", - "displayName": "Azure Active Directory", + "displayName": "Microsoft Entra ID", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Azure Active Directory solution for Microsoft Sentinel enables you to ingest Azure Active Directory Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

\n

Data Connectors: 1, Workbooks: 2, Analytic Rules: 60, Playbooks: 11

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Entra ID solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID Audit, Sign-in, Provisioning, Risk Events and Risky User/Service Principal logs using Diagnostic Settings into Microsoft Sentinel.

\n

Data Connectors: 1, Workbooks: 2, Analytic Rules: 62, Playbooks: 11

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", - "icon": "", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", - "name": "Azure Active Directory", + "name": "Microsoft Entra ID", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -13039,6 +13289,16 @@ "contentId": "[variables('analyticRulecontentId60')]", "version": "[variables('analyticRuleVersion60')]" }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId61')]", + "version": "[variables('analyticRuleVersion61')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId62')]", + "version": "[variables('analyticRuleVersion62')]" + }, { "kind": "Playbook", "contentId": "[variables('_Block-AADUser-alert-trigger')]", diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json similarity index 98% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json index e1d3d642d72..b1c3bf5611d 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json @@ -2,10 +2,10 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Block AAD user - Alert", - "description": "For each account entity included in the alert, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "title": "Block Microsoft Entra ID user - Alert", + "description": "For each account entity included in the alert, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": ["None"], - "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections."], + "postDeployment": ["1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections."], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], @@ -25,7 +25,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Alert", + "defaultValue": "Block-Entra ID User-Alert", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/AlertTriggerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/images/Block-AADUser_alert.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md similarity index 85% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md index 9549ab00e13..6c96138b059 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/releaseNotes.md @@ -1,8 +1,8 @@ ### 1.1 Added manager notification action -- Added action to check if the user has a manager assigned in the Azure AD and notify the manager that the user is disabled
+- Added action to check if the user has a manager assigned in the Microsoft Entra ID and notify the manager that the user is disabled
Note: Additional permissions must be assigned to the managed identity - Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All. Full instructions available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser -- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Azure AD +- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Microsoft Entra ID ### 1.0 diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json similarity index 97% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json index 37d4e21eeef..595acaf1593 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json @@ -2,9 +2,9 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Block AAD user - Entity trigger", - "description": "This playbook disables the selected user (account entity) in Azure Active Directoy. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections." ], + "title": "Block Microsoft Entra ID user - Entity trigger", + "description": "This playbook disables the selected user (account entity) in Microsoft Entra ID. If this playbook triggered from an incident context, it will add a comment to the incident. This playbook will notify the disabled user manager if available. Note: This playbook will not disable admin user!", + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-12-08T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], @@ -24,7 +24,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-EntityTrigger", + "defaultValue": "Block-Entra ID User-EntityTrigger", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotDark1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/designerScreenshotLight1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/images/entityTriggerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md similarity index 85% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md index 9549ab00e13..6c96138b059 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/releaseNotes.md @@ -1,8 +1,8 @@ ### 1.1 Added manager notification action -- Added action to check if the user has a manager assigned in the Azure AD and notify the manager that the user is disabled
+- Added action to check if the user has a manager assigned in the Microsoft Entra ID and notify the manager that the user is disabled
Note: Additional permissions must be assigned to the managed identity - Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All. Full instructions available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser -- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Azure AD +- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Microsoft Entra ID ### 1.0 diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/images/managerNotificationLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/images/managerNotificationLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json similarity index 98% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json index 302dc099d3b..1c490105189 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json @@ -2,10 +2,10 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Block AAD user - Incident", - "description": "For each account entity included in the incident, this playbook will disable the user in Azure Active Directoy, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", + "title": "Block Entra ID user - Incident", + "description": "For each account entity included in the incident, this playbook will disable the user in Microsoft Entra ID, add a comment to the incident that contains this alert and notify manager if available. Note: This playbook will not disable admin user!", "prerequisites": [ "None" ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Azure AD and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permissions to the managed identity.", "3. Authorize Microsoft Entra ID and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], @@ -25,7 +25,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Block-AADUser-Incident", + "defaultValue": "Block-Entra ID User-Incident", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/Block-AADUser_incident.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/IncidentTriggerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotDark1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/images/designerScreenshotLight1.png diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md similarity index 85% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md index 9549ab00e13..6c96138b059 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/releaseNotes.md @@ -1,8 +1,8 @@ ### 1.1 Added manager notification action -- Added action to check if the user has a manager assigned in the Azure AD and notify the manager that the user is disabled
+- Added action to check if the user has a manager assigned in the Microsoft Entra ID and notify the manager that the user is disabled
Note: Additional permissions must be assigned to the managed identity - Grant User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All. Full instructions available on https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser -- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Azure AD +- Update to readme file - stating what API permissions are needed to be assigned to the managed identity as well as updating info that this playbook is not supporting block of the admin users in Microsoft Entra ID ### 1.0 diff --git a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md similarity index 88% rename from Solutions/Azure Active Directory/Playbooks/Block-AADUser/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md index cb36e605de5..824749dd99b 100644 --- a/Solutions/Azure Active Directory/Playbooks/Block-AADUser/readme.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/readme.md @@ -1,9 +1,9 @@ # Block-AADUser author: Nicholas DiCola -This playbook will disable the user in Azure Active Directory and add a comment to the incident. There is an option for incident and alert trigger below.
+This playbook will disable the user in Microsoft Entra ID and add a comment to the incident. There is an option for incident and alert trigger below.
Note: This playbook will not be able to disable users if they are eligible or have active admin roles. To be able to disable admin users as well, please deploy playbook - Block-AADUserOrAdmin.
-If user have manager, manager will be notified that the user have been disabled in Azure AD. +If user have manager, manager will be notified that the user have been disabled in Microsoft Entra ID. ## Quick Deployment **Deploy with incident trigger** (recommended) @@ -27,7 +27,7 @@ None

## Post-deployment 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - https://docs.microsoft.com/azure/logic-apps/create-managed-service-identity?tabs=consumption#assign-managed-identity-role-based-access-in-the-azure-portal -2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0 +2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Microsoft Entra ID PowerShell module, you will have to install it and connect to Microsoft Entra ID PowerShell module. https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0 ```powershell $MIGuid = "" $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid @@ -56,7 +56,7 @@ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.Obje -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id ``` -3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections

+3. Open the playbook in the Logic App Designer and authorize Microsoft Entra ID and Office 365 Outlook Logic App connections

## Screenshots **Incident Trigger**
diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json index 5f5545febcd..ccf07024b91 100644 --- a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json @@ -5,7 +5,7 @@ "title": "Prompt User - Alert", "description": "This playbook will ask the user if they completed the action from the alert in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", "prerequisites": [ "1. You will need the Team Id and Channel Id." ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/images/Prompt-User_alert.png diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/alert-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json index ee2dfd05e14..65d20ad7900 100644 --- a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json @@ -5,7 +5,7 @@ "title": "Prompt User - Incident", "description": "This playbook will ask the user if they completed the action from the Incident in Microsoft Sentinel. If so, it will close the incident and add a comment. If not, it will post a message to teams for the SOC to investigate and add a comment to the incident.", "prerequisites": [ "1. You will need the Team Id and Channel Id." ], - "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections." ], + "postDeployment": [ "1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity.", "2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections." ], "lastUpdateTime": "2022-07-11T00:00:00.000Z", "entities": [ "Account" ], "tags": [ "Remediation" ], diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/images/designerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/images/designerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/incident-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Prompt-User/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md similarity index 96% rename from Solutions/Azure Active Directory/Playbooks/Prompt-User/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md index c5abd77b606..1360e4d3861 100644 --- a/Solutions/Azure Active Directory/Playbooks/Prompt-User/readme.md +++ b/Solutions/Microsoft Entra ID/Playbooks/Prompt-User/readme.md @@ -28,7 +28,7 @@ After deployment, you can run this playbook manually on an alert or attach it to ## Post deployment 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity -2. Authorize Azure AD, Microsoft Teams, and Office 365 Outlook Logic App connections +2. Authorize Microsoft Entra ID, Microsoft Teams, and Office 365 Outlook Logic App connections ## Screenshots **Incident Trigger**
diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json index 7526b007167..df1ae2cd72e 100644 --- a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Reset Azure AD User Password - Alert Trigger", + "title": "Reset Microsoft Entra ID User Password - Alert Trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "prerequisites": ["None"], "postDeployment": ["1. Assign Password Administrator permission to managed identity.", "2. Assign Microsoft Sentinel Responder permission to managed identity.", "3. Authorize Office 365 Outlook connection"], @@ -28,7 +28,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-AlertTrigger", + "defaultValue": "Reset-Entra ID Password-AlertTrigger", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_dark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/images/alertTrigger_light.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json index 47f07a364b3..44cc213c7ed 100644 --- a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Reset Azure AD User Password - Entity trigger", + "title": "Reset Microsoft Entra ID User Password - Entity trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "postDeployment": [ "1. Assign Password Administrator permission to managed identity.", "2. Assign Microsoft Sentinel Responder permission to managed identity.", "3. Authorize Office 365 Outlook connection" ], "lastUpdateTime": "2022-12-06T00:00:00.000Z", @@ -19,7 +19,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADUserPassword-EntityTrigger", + "defaultValue": "Reset-Entra ID UserPassword-EntityTrigger", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_dark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/images/entityTrigger_light.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json index bc3cb986f70..07c8959a8af 100644 --- a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Reset Azure AD User Password - Incident Trigger", + "title": "Reset Microsoft Entra ID User Password - Incident Trigger", "description": "This playbook will reset the user password using Graph API. It will send the password (which is a random guid substring) to the user's manager. The user will have to reset the password upon login.", "prerequisites": ["None"], "postDeployment": ["1. Assign Password Administrator permission to managed identity.", "2. Assign Microsoft Sentinel Responder permission to managed identity.", "3. Authorize Office 365 Outlook connection"], @@ -28,7 +28,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Reset-AADPassword-IncidentTrigger", + "defaultValue": "Reset-Entra ID Password-IncidentTrigger", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_dark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/images/incidentTrigger_light.png diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/releaseNotes.md diff --git a/Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/readme.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Reset-AADUserPassword/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/readme.md diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json similarity index 98% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json index 08532942b22..dedaa6a9a7d 100644 --- a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json @@ -2,9 +2,9 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Revoke-AADSignInSessions alert trigger", + "title": "Revoke-Entra ID SignInSessions alert trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", - "prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Azure AD."], + "prerequisites": ["1. You must create an app registration for graph api with appropriate permissions.", "2. You will need to add the managed identity that is created by the logic app to the Password Administrator role in Microsoft Entra ID."], "comments": "This playbook will revoke all signin sessions for the user using Graph API using a Beta API. It will send and email to the user's manager.", "lastUpdateTime": "2021-07-14T00:00:00.000Z", @@ -20,7 +20,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-alert", + "defaultValue": "Revoke-Entra ID SignInSessions-alert", "type": "string" }, "UserName": { diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/images/Revoke-AADSignInSessions_alert.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json similarity index 97% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json index af9b0018901..c75052b1de8 100644 --- a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Revoke AAD Sign-in session using entity trigger", + "title": "Revoke Entra ID Sign-in session using entity trigger", "description": "This playbook will revoke user's sign-in sessions and user will have to perform authentication again. It invalidates all the refresh tokens issued to applications for a user (as well as session cookies in a user's browser), by resetting the signInSessionsValidFromDateTime user property to the current date-time.", "prerequisites": "", "postDeployment": ["1. Add Microsoft Sentinel Responder role to the managed identity.", "2. Assign User.ReadWrite.All and Directory.ReadWrite.All API permissions to the managed identity."], @@ -20,7 +20,7 @@ }, "parameters": { "PlaybookName": { -"defaultValue": "Revoke-AADSignIn-Session-entityTrigger", +"defaultValue": "Revoke-Entra ID SignIn-Session-entityTrigger", "type": "string" } }, diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookDark.jpg diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/images/playbookLight.jpg diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json similarity index 99% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json index 14faea977ee..717ad1b80af 100644 --- a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json +++ b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "Revoke AAD SignIn Sessions - incident trigger", + "title": "Revoke Entra ID SignIn Sessions - incident trigger", "description": "This playbook will revoke all signin sessions for the user using Graph API. It will send an email to the user's manager.", "prerequisites": "1. You will need to grant User.ReadWrite.All permissions to the managed identity.", "lastUpdateTime": "2021-07-14T00:00:00.000Z", @@ -17,7 +17,7 @@ }, "parameters": { "PlaybookName": { - "defaultValue": "Revoke-AADSignInSessions-incident", + "defaultValue": "Revoke-Entra ID SignInSessions-incident", "type": "string" }, "UserName": { diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/Revoke-AADSignInSessions_incident.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerDark.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/images/designerLight.png diff --git a/Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/readme.md b/Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/readme.md similarity index 100% rename from Solutions/Azure Active Directory/Playbooks/Revoke-AADSignInSessions/readme.md rename to Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/readme.md diff --git a/Solutions/Azure Active Directory/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md similarity index 91% rename from Solutions/Azure Active Directory/ReleaseNotes.md rename to Solutions/Microsoft Entra ID/ReleaseNotes.md index bdf684207a8..1635f419212 100644 --- a/Solutions/Azure Active Directory/ReleaseNotes.md +++ b/Solutions/Microsoft Entra ID/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| +| 3.0.7 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | | 3.0.6 | 30-10-2023 | 1 **Data Connector** added back in the solution | | 3.0.5 | 19-10-2023 | 1 **Analytic Rules** updated in the solution (PIMElevationRequestRejected) | | 3.0.4 | 16-10-2023 | 1 **Analytic Rules** got added in the solution (SuspiciousSignInFollowedByMFAModification), modified workbook query to fix duplicate locations for the query. | diff --git a/Solutions/Azure Active Directory/SolutionMetadata.json b/Solutions/Microsoft Entra ID/SolutionMetadata.json similarity index 100% rename from Solutions/Azure Active Directory/SolutionMetadata.json rename to Solutions/Microsoft Entra ID/SolutionMetadata.json diff --git a/Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json similarity index 99% rename from Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json rename to Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json index 80e746d93c8..ba5b66bba12 100644 --- a/Solutions/Azure Active Directory/Workbooks/AzureActiveDirectoryAuditLogs.json +++ b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json @@ -4,7 +4,7 @@ { "type": 1, "content": { - "json": "## Azure AD audit logs" + "json": "## Microsoft Entra ID audit logs" }, "name": "text - 1" }, diff --git a/Solutions/Azure Active Directory/Workbooks/AzureActiveDirectorySignins.json b/Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json similarity index 100% rename from Solutions/Azure Active Directory/Workbooks/AzureActiveDirectorySignins.json rename to Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json diff --git a/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg new file mode 100644 index 00000000000..0f3f7275d02 --- /dev/null +++ b/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 728f402d308..5ac139b6c2e 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -360,7 +360,7 @@ { "workbookKey": "AzureActiveDirectorySigninLogsWorkbook", "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Azure AD scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.", + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the sign-in logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about sign-in operations, such as user sign-ins and locations, email addresses, and IP addresses of your users, as well as failed activities and the errors that triggered the failures.", "dataTypesDependencies": [ "SigninLogs" ], @@ -374,7 +374,7 @@ "AADsigninWhite2.png" ], "version": "2.4.0", - "title": "Azure AD Sign-in logs", + "title": "Microsoft Entra ID Sign-in logs", "templateRelativePath": "AzureActiveDirectorySignins.json", "subtitle": "", "provider": "Microsoft" @@ -417,7 +417,7 @@ { "workbookKey": "AzureActiveDirectoryAuditLogsWorkbook", "logoFileName": "azureactivedirectory_logo.svg", - "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Azure AD scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.", + "description": "Gain insights into Microsoft Entra ID by connecting Microsoft Sentinel and using the audit logs to gather insights around Microsoft Entra ID scenarios. \nYou can learn about user operations, including password and group management, device activities, and top active users and apps.", "dataTypesDependencies": [ "AuditLogs" ], @@ -429,7 +429,7 @@ "AzureADAuditLogsWhite1.png" ], "version": "1.2.0", - "title": "Azure AD Audit logs", + "title": "Microsoft Entra ID Audit logs", "templateRelativePath": "AzureActiveDirectoryAuditLogs.json", "subtitle": "", "provider": "Microsoft"