security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Microsoft Entra ID Protection - Risk Detections (#4725)

Browse Source 
* new rule 'Microsoft Entra ID Protection - Risk Detections'

* added timing bypass

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus
2025-05-19 13:51:26 -04:00
committed by GitHub
parent 43cdc7ff51
commit 0d366d6a15
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/entra_id_identity_protection_risk_detections.toml
+48
View File
@@ -0,0 +1,48 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2025/05/18"
integration = ["azure"]
maturity = "production"
promotion = true
updated_date = "2025/05/18"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies Microsoft Entra ID Protection sign-in risk detections triggered by a range of risk events such as anonymized
IP addresses, password spray attacks, impossible travel, token anomalies, and more. These detections are often early
indicators of potential account compromise or malicious sign-in behavior. This is a promotion rule intended to surface
all Entra ID sign-in risk events for further investigation and correlation with other identity-related activity. This is
a building block rule that is used to collect all Microsoft Entra ID Protection sign-in or user risk detections. It is
not intended to be used as a standalone detection.
"""
from = "now-9m"
index = ["logs-azure.identity_protection-*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Entra ID Protection - Risk Detections"
references = [
"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-types-and-detection",
]
risk_score = 47
rule_id = "da0d4bae-33ee-11f0-a59f-f661ea17fbcd"
setup = ""
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Protection",
"Data Source: Microsoft Entra ID Protection Logs",
"Use Case: Identity and Access Audit",
"Use Case: Threat Detection",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: "azure.identity_protection"
'''