security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix new term doc broken link (#4706)

Browse Source
This commit is contained in:
shashank-elastic
2025-05-07 17:03:58 +05:30
committed by GitHub
parent acab8b4c6e
commit 0f3bfcd98a
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/05/01"
integration = ["azure"]
maturity = "production"
updated_date = "2025/05/01"
updated_date = "2025/05/07"
[rule]
author = ["Elastic"]
@@ -37,7 +37,7 @@ note = """## Triage and analysis
This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/new-terms-rules.html) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
### Possible Investigation Steps: