Azure · v-dvedak · Nov 9, 2023 · Oct 30, 2023 · Oct 30, 2023 · Oct 30, 2023
@@ -1,7 +1,7 @@
 id: f80d951a-eddc-4171-b9d0-d616bb83efdc
 name: Admin promotion after Role Management Application Permission Grant
 description: |
-  'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).
+  'This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Microsoft Entra ID object or user account to an Admin directory role (i.e. Global Administrators).
   This is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission allows an app to manage permission grants for application permissions to any API.
   A service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.
   Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http'
@@ -92,5 +92,5 @@ entityMappings:
         columnName: TargetName
       - identifier: UPNSuffix
         columnName: TargetUPNSuffix
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
@@ -1,8 +1,7 @@
 id: 7cb8f77d-c52f-4e46-b82f-3cf2e106224a
 name: Anomalous sign-in location by user account and authenticating application
 description: |
-  'This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active
-  Directory application and picks out the most anomalous change in location profile for a user within an
+  'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an
   individual application.
 severity: Medium
 requiredDataConnectors:
@@ -58,9 +57,8 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}
   alertDescriptionFormat: |
-    This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active
-    Directory application and picks out the most anomalous change in location profile for a user within an
+    This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an
     individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} 
     different locations.
-version: 2.0.0
+version: 2.0.1
 kind: Scheduled
@@ -1,9 +1,9 @@
 id: 50574fac-f8d1-4395-81c7-78a463ff0c52
-name: Azure Active Directory PowerShell accessing non-AAD resources
+name: Microsoft Entra ID PowerShell accessing non-Entra ID resources
 description: |
-  'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.
-  For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.
-  For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.'
+  'This will alert when a user or application signs in using Microsoft Entra ID PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.
+  For capabilities and expected behavior of the Microsoft Entra ID PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.
+  For further information on Microsoft Entra ID Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.'
 severity: Low
 requiredDataConnectors:
   - connectorId: AzureActiveDirectory
@@ -53,5 +53,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
@@ -1,9 +1,9 @@
 id: 1ff56009-db01-4615-8211-d4fda21da02d
-name: Azure AD Role Management Permission Grant
+name: Microsoft Entra ID Role Management Permission Grant
 description: |
   'Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.
   This permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.
-  An adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.
+  An adversary could use this permission to add an Microsoft Entra ID object to an Admin directory role and escalate privileges.
   Ref : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions
   Ref : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http'
 severity: High
@@ -64,5 +64,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: AppDisplayName
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled