From 8b2c8c2e03e4b823ad306085870eac21ffedac65 Mon Sep 17 00:00:00 2001
From: Nic <nicpenning@gmail.com>
Date: Mon, 30 Aug 2021 17:33:44 -0500
Subject: [PATCH] [Rule tuning] Azure Active Directory High Risk Sign-in
 (#1463)

* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
---
 ...nitial_access_azure_active_directory_high_risk_signin.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
index 906d0606e..71e355c47 100644
--- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
+++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2021/08/30"
 integration = "azure"
 
 [rule]
@@ -34,7 +34,7 @@ type = "query"
 
 query = '''
 event.dataset:azure.signinlogs and
-  azure.signinlogs.properties.risk_level_during_signin:high and
+  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and
   event.outcome:(success or Success)
 '''