security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule tuning] Azure Active Directory High Risk Sign-in (#1463)

Browse Source 
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
This commit is contained in:
Nic
2021-08-30 17:33:44 -05:00
committed by GitHub
parent 7b8b18cb20
commit 8b2c8c2e03
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/04"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2021/08/30"
integration = "azure"
[rule]
@@ -34,7 +34,7 @@ type = "query"
query = '''
event.dataset:azure.signinlogs and
azure.signinlogs.properties.risk_level_during_signin:high and
(azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and
event.outcome:(success or Success)
'''