diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json index 87cc5610c8e..2218be1ae19 100644 --- a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -90,7 +90,7 @@ "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.2.8", + "Version": "3.2.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Microsoft Entra ID/Package/3.2.9.zip b/Solutions/Microsoft Entra ID/Package/3.2.9.zip new file mode 100644 index 00000000000..c45d1433f88 Binary files /dev/null and b/Solutions/Microsoft Entra ID/Package/3.2.9.zip differ diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 354f5ae5bbd..a6e048d3472 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Entra ID", - "_solutionVersion": "3.2.8", + "_solutionVersion": "3.2.9", "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AzureActiveDirectory", @@ -616,7 +616,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Entra ID data connector with template version 3.2.8", + "description": "Microsoft Entra ID data connector with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -995,7 +995,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectoryAuditLogs Workbook with template version 3.2.8", + "description": "AzureActiveDirectoryAuditLogs Workbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1083,7 +1083,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectorySignins Workbook with template version 3.2.8", + "description": "AzureActiveDirectorySignins Workbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1171,7 +1171,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1199,10 +1199,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1356,7 +1356,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1384,10 +1384,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1502,7 +1502,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1530,10 +1530,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1648,7 +1648,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1676,10 +1676,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "ADFSSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1752,7 +1752,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1780,10 +1780,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1935,7 +1935,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1963,16 +1963,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2016,8 +2016,8 @@ "Application": "AppDisplayName" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}", - "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n" + "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n", + "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}" } } }, @@ -2072,7 +2072,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2100,16 +2100,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -2221,7 +2221,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2249,16 +2249,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2357,7 +2357,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2385,10 +2385,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2519,7 +2519,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2547,10 +2547,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2597,8 +2597,8 @@ } ], "alertDetailsOverride": { - "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}", - "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n" + "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n", + "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}" } } }, @@ -2653,7 +2653,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2681,16 +2681,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2789,7 +2789,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -2817,10 +2817,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2919,7 +2919,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -2947,10 +2947,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3086,7 +3086,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3114,16 +3114,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3224,7 +3224,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3252,10 +3252,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3418,7 +3418,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3446,10 +3446,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3570,7 +3570,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -3598,10 +3598,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3722,7 +3722,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -3750,10 +3750,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -3874,7 +3874,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -3902,10 +3902,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4026,7 +4026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4054,10 +4054,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4178,7 +4178,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4206,10 +4206,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4330,7 +4330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4358,16 +4358,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4457,7 +4457,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -4485,16 +4485,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4584,7 +4584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -4612,22 +4612,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceInfo" - ], - "connectorId": "MicrosoftThreatProtection" + ] } ], "tactics": [ @@ -4739,7 +4739,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -4767,10 +4767,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -4834,8 +4834,8 @@ "OAuthAppId": "AppId" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}", - "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n" + "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", + "alertDisplayNameFormat": "User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}" } } }, @@ -4890,7 +4890,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -4918,16 +4918,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5017,7 +5017,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5045,10 +5045,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5168,7 +5168,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5196,10 +5196,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5346,7 +5346,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5374,10 +5374,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5485,7 +5485,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -5513,10 +5513,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5635,7 +5635,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -5663,10 +5663,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -5776,7 +5776,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -5804,22 +5804,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -5921,7 +5921,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -5949,10 +5949,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6042,7 +6042,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6070,10 +6070,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6198,7 +6198,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -6226,10 +6226,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6300,8 +6300,8 @@ "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}", - "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose." + "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.", + "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}" } } }, @@ -6356,7 +6356,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -6384,10 +6384,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6498,7 +6498,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -6522,10 +6522,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6636,7 +6636,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -6660,10 +6660,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6788,7 +6788,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -6812,10 +6812,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -6926,7 +6926,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -6950,10 +6950,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7065,7 +7065,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7089,10 +7089,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7220,7 +7220,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -7244,10 +7244,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7375,7 +7375,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -7399,10 +7399,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7529,7 +7529,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -7557,10 +7557,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7688,7 +7688,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleSignInfromAzureBackdoor_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "PossibleSignInfromAzureBackdoor_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -7716,11 +7716,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs", "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -7754,13 +7754,13 @@ } ], "customDetails": { - "SignInTime": "SignInTime", - "DomainAddedTime": "DomainAddedTime", + "InitiatedBy": "InitiatedBy", + "ModifiedProperties": "ModifiedProperties", "AppDisplayName": "AppDisplayName", + "SignInTime": "SignInTime", "DomainAdded": "DomainName", - "ResourceDisplayName": "ResourceDisplayName", - "ModifiedProperties": "ModifiedProperties", - "InitiatedBy": "InitiatedBy" + "DomainAddedTime": "DomainAddedTime", + "ResourceDisplayName": "ResourceDisplayName" } } }, @@ -7815,7 +7815,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -7843,22 +7843,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -7951,7 +7951,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -7979,10 +7979,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8110,7 +8110,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -8138,10 +8138,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8242,7 +8242,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -8270,10 +8270,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8363,7 +8363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -8391,16 +8391,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8481,7 +8481,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -8509,22 +8509,22 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -8599,7 +8599,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", @@ -8627,16 +8627,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8735,7 +8735,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", @@ -8763,16 +8763,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -8845,7 +8845,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", @@ -8873,28 +8873,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -8995,7 +8995,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", @@ -9023,10 +9023,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -9109,8 +9109,8 @@ } ], "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious Entra ID Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed", - "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", + "alertDisplayNameFormat": "Suspicious Entra ID Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" } } }, @@ -9165,7 +9165,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", @@ -9193,10 +9193,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -9304,7 +9304,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", @@ -9332,11 +9332,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs", "AADServicePrincipalSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -9455,7 +9455,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", @@ -9483,16 +9483,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -9583,8 +9583,8 @@ "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" } } }, @@ -9639,7 +9639,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", @@ -9667,16 +9667,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -9810,7 +9810,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", @@ -9838,28 +9838,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "BehaviorAnalytics" - ], - "connectorId": "BehaviorAnalytics" + ] }, { + "connectorId": "BehaviorAnalytics", "dataTypes": [ "IdentityInfo" - ], - "connectorId": "BehaviorAnalytics" + ] } ], "tactics": [ @@ -9952,7 +9952,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", @@ -9980,10 +9980,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -10110,7 +10110,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", @@ -10138,10 +10138,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -10269,7 +10269,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.2.8", + "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject63').analyticRuleVersion63]", @@ -10297,10 +10297,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -10428,7 +10428,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-EntraIDUser-Alert Playbook with template version 3.2.8", + "description": "Block-EntraIDUser-Alert Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -10871,7 +10871,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-EntraIDUser-Incident Playbook with template version 3.2.8", + "description": "Block-EntraIDUser-Incident Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -11297,7 +11297,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Alert Playbook with template version 3.2.8", + "description": "Prompt-User-Alert Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -11733,7 +11733,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Incident Playbook with template version 3.2.8", + "description": "Prompt-User-Incident Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -12152,7 +12152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-EntraIDPassword-AlertTrigger Playbook with template version 3.2.8", + "description": "Reset-EntraIDPassword-AlertTrigger Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -12552,7 +12552,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-EntraIDPassword-IncidentTrigger Playbook with template version 3.2.8", + "description": "Reset-EntraIDPassword-IncidentTrigger Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -12935,7 +12935,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-EntraIDUser-EntityTrigger Playbook with template version 3.2.8", + "description": "Block-EntraIDUser-EntityTrigger Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -13396,7 +13396,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-EntraIDUserPassword-EntityTrigger Playbook with template version 3.2.8", + "description": "Reset-EntraIDUserPassword-EntityTrigger Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -13801,7 +13801,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-EntraIDSignInSessions-alert Playbook with template version 3.2.8", + "description": "Revoke-EntraIDSignInSessions-alert Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -14129,7 +14129,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-EntraIDSignInSessions-incident Playbook with template version 3.2.8", + "description": "Revoke-EntraIDSignInSessions-incident Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -14436,7 +14436,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-EntraIDSignIn-Session-entityTrigger Playbook with template version 3.2.8", + "description": "Revoke-EntraIDSignIn-Session-entityTrigger Playbook with template version 3.2.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -14647,7 +14647,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.2.8", + "version": "3.2.9", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Entra ID", diff --git a/Solutions/Microsoft Entra ID/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md index fb6fca82ec8..93499486003 100644 --- a/Solutions/Microsoft Entra ID/ReleaseNotes.md +++ b/Solutions/Microsoft Entra ID/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | ----------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| 3.2.8 | 26-07-2024 | Updated **Analytical Rule** for missing TTP | +| 3.2.9 | 27-08-2024 | Updated **Analytical Rule** for missing TTP | +| 3.2.8 | 19-08-2024 | Exclude Result Reason "RoleAssignmentExists" from **Analytic Rule** [NRT PIM Elevation Request Rejected] | | 3.2.7 | 12-06-2024 | Fixed the bugs from **Analytic Rules** | | 3.2.6 | 06-06-2024 | Successful logon from IP and failure from a different IP fixes | | 3.2.5 | 28-05-2024 | Updated Entity mappings and changed description in **Analytic Rule** |