Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update AADHostLoginCorrelation.yaml #11294

Merged

Conversation

atombravo
Copy link
Contributor

Required items, please complete

Change(s):

  • Updated AADHostLoginCorrelation.yaml to remove suspicious_signins results with no IPAddress

Reason for Change(s):

  • Suspcious signins without an IPAddress will spuriously match the Linux syslog events when the regex returns "" for the SourceIP

Version Updated:

  • 1.3.1

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • No

Guidance <- remove section before submitting


Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

  • Updated syntax for XYZ.yaml

Reason for Change(s):

Version updated:

  • Yes
  • Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

  • Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

  • Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:


Remove IPAddress='' from suspicious_signins results since they can spuriously match the Linux syslog login events (the regex can also return "" as SourceIP).
Updated version number
@atombravo atombravo requested review from a team as code owners October 17, 2024 16:59
@v-prasadboke v-prasadboke self-assigned this Oct 18, 2024
@v-prasadboke v-prasadboke added Detection Detection specialty review needed Standalone Standalone Content labels Oct 18, 2024
@v-atulyadav v-atulyadav merged commit a462930 into Azure:master Oct 18, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Detection Detection specialty review needed Standalone Standalone Content
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants