756a7f49ba
[Rule Tuning] Microsoft Entra ID MFA TOTP Brute Force Attempts ( #4937 )
...
* tuning rule 'Microsoft Entra ID MFA TOTP Brute Force Attempts'
* adjusted logic
2025-07-29 09:24:20 -04:00
64db33a50b
[Rule Tuning] Azure Key Vault Secret Key Usage by Unusual Identity ( #4925 )
2025-07-22 20:22:31 +05:30
3b9e927ca8
[Rule Tuning] OIDC Discovery URL Changed in Entra ID ( #4923 )
2025-07-22 17:31:45 +05:30
c2880afa06
[New Rule] OIDC Discovery URL Changed in Entra ID ( #4908 )
...
* new rule OIDC Discovery URL Changed in Entra ID
* added references
* removed indexes
* Update rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml
* adjusted for ESQL standardization
2025-07-18 10:26:02 -04:00
a3a2fcdff5
[New Rule] Azure Key Vault Secret Key Usage by Unusual Identity ( #4900 )
...
* new rule Azure Key Vault Secret Key Usage by Unusual Identity
* added index
* added non-ecs field
* added azure.resource.name to new terms
* Update rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml
* adjusted new terms
* Update rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-07-18 10:01:45 -04:00
8e99bace44
[New Rule] External Authentication Method Addition or Modification in Entra ID ( #4906 )
...
* new rule External Authentication Method Addition or Modification in Entra ID
* added references
* adjusted to new terms
2025-07-18 09:45:33 -04:00
72afee06ca
[New Rule] Excessive Secret or Key Retrieval from Azure Key Vault ( #4898 )
...
* new rule Excessive Secret or Key Retrieval from Azure Key Vault
* adjusted query for ESQL standardization
* adjusted from ESQL to Esql
2025-07-18 09:30:10 -04:00
0f8c53e4d2
[Rule Tuning] Azure Key Vault Modified ( #4896 )
...
* tuning rule Azure Key Vault Modified
* Update rules/integrations/azure/impact_azure_key_vault_modified.toml
* adjusted description
* Update rules/integrations/azure/impact_azure_key_vault_modified.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-07-17 09:31:58 -04:00
51b6f0dbd7
[Rule Deprecation] Azure Virtual Network Device Modified or Deleted ( #4889 )
...
* deprecating 'Azure Virtual Network Device Modified or Deleted'
* changed maturity
2025-07-14 15:58:11 -04:00
b70792082a
Fix pipe characters in rule descriptions ( #4893 )
2025-07-10 15:11:20 +05:30
6e2936aa8c
[New Rule] TeamFiltration User-Agents Detected ( #4868 )
...
* new rule TeamFiltration User-Agents Detected
* changed UUID
* tightened index scope
* fixing query optimization
* adjusted query
2025-07-08 09:56:06 -04:00
acfc106164
new rule Suspicious Entra ID OAuth User Impersonation Scope Detected ( #4876 )
...
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-07-07 14:29:06 -04:00
9b292b97ea
Prep 8.19/9.1 ( #4869 )
...
* Prep 8.19/9.1 Release
* Download Beats Schema
* Download API Schema
* Download 8.18.3 Beats Schema
* Download Latest Integrations manifest and schema
* Comment old schemas
* Update Patch version
2025-07-07 11:27:48 -04:00
6a083ec984
[New Rule] Unusual ROPC Login Attempt by User Principal ( #4871 )
...
* new rule Unusual ROPC Login Attempt by User Principal
* linted
2025-07-03 14:43:19 -04:00
016cdf2cbb
[New Rule] Microsoft Entra ID Suspicious Cloud Device Registration ( #4802 )
...
* new rule Microsoft Entra ID Suspicious Cloud Device Registration
* adjusted backticks in non-ecs and rule
* linted
* adjusted uuid; bumped patch version
2025-07-02 10:03:08 -04:00
10d95baa2b
[Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts Detected ( #4851 )
...
* adjusting Microsoft Entra ID Exccessive Account Lockouts Detected
* removing unit test
* added newline
* adjusted dates
2025-07-01 08:18:18 -04:00
ba429070e3
[New Rule] Entra ID RT to PRT Transition from Same User and Device ( #4845 )
2025-06-25 14:52:50 -04:00
0aefedd6f1
[New Rule] Suspicious ADRS Token Request by Microsoft Auth Broker ( #4801 )
...
* new rule Suspicious ADRS Token Request by Microsoft Auth Broker
* bumping patch version
* updating patch version
2025-06-18 14:41:04 -04:00
0c68fcb7d9
[New Rule] Entra ID User Signed In from Unusual Device ( #4804 )
...
* new rule Entra ID User Signed In from Unusual Device
* adjusted patch version
* adjusted patch version
* updating patch version
2025-06-18 14:13:42 -04:00
7b1139b219
[Rule Tuning] Expand Scope of Entra ID Brute Force Sign-In Attempts ( #4777 )
...
* tuning rule to not be M365 specific
* adjusted rules
* linted
* linted; adjusted descriptions
* tuned rule logic
* adjusted time logic
* adjusted query logic
* removed 50053 from inclusion
* adjusted query
2025-06-18 10:59:50 -04:00
4fb8483f2d
[Rule Tuning] Suspicious Activity via Auth Broker On-Behalf-of Principal User ( #4793 )
...
* rule tuning Suspicious Activity via Auth Broker On-Behalf-of Principal User
* adjusted investigation guide
* adjusted time
2025-06-17 19:10:55 -04:00
c7c1586160
[Rule Deprecation] Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source ( #4780 )
...
* rule deprecation
* adjusted investigation guide
2025-06-10 12:02:54 -04:00
9569aa4860
[New Rule] Microsoft Entra ID Excessive Account Lockouts Detected ( #4782 )
...
* new rule Microsoft Entra ID Exccessive Account Lockouts Detected
* updating investigation guide
* removed user agent exception
* linted
2025-06-10 11:31:35 -04:00
0a8c3ca471
new rule for bloodhound user agents ( #4769 )
2025-06-04 09:11:13 -04:00
71c82ec475
[New Rule] Entra ID Protection - Risk Detection - User Risk ( #4762 )
...
* new rule Entra ID Protection - Risk Detection - User Risk
* adding max signals note
* adjusted mitre mapping
* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-06-04 08:59:01 -04:00
61fb056f05
[Rule Tuning] Microsoft Entra ID Protection Anonymized IP Risk Detection ( #4759 )
...
* tuning Microsoft Entra ID Protection Anonymized IP Risk Detection
* adjusted tags and mappings
* added max signals
* adjusted file name
* adding max signals note
* adjusted mitre mapping
2025-06-04 08:31:21 -04:00
bfca0ea414
[New Hunt] Commvault Supply Chain Threat ( #4748 )
...
* hunts for CommVault threat
* added lookback time to ESQL query
* updated query logic
2025-05-28 14:11:46 -04:00
17d98cc8dd
[Rule Tuning] Tuning Azure Entra Sign-in Brute Force against Microsoft 365 Accounts ( #4737 )
...
* rule tuning 'Potential Microsoft 365 Brute Force via Entra ID Sign-Ins'
* updated lookback windows, date truncation times
* updated investigation guide
2025-05-28 13:45:15 -04:00
4bd8469c38
[New Rule] Microsoft Entra ID Elevated Access to User Access Administrator ( #4742 )
...
* new rule Microsoft Entra ID Elevated Access to User Access Administrator
* updating uuid
2025-05-28 13:33:22 -04:00
22d780f9af
[New Rule] Microsoft Entra ID User Reported Suspicious Activity ( #4740 )
...
* new rule Microsoft Entra ID User Reported Suspicious Activity
* Update rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-05-28 11:55:51 -04:00
0d4db2ecfe
tuning 'Microsoft Entra ID High Risk Sign-in' ( #4739 )
2025-05-28 11:40:04 -04:00
82bee3e9c2
[Rule Tuning] Microsoft Graph First Occurrence of Client Request ( #4728 )
...
* tuning 'Microsoft Graph First Occurrence of Client Request'
* updated update date
2025-05-19 14:56:21 -04:00
8f27c24528
[New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph ( #4704 )
...
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'
* updated patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-05-09 20:49:08 -04:00
d83e1c711a
[New Rule] Microsoft Entra Session Reuse with Suspicious Graph Access ( #4711 )
...
* new rule 'Microsoft Entra Session Reuse with Suspicious Graph Access'
* fixed tags; linted
* fixed mitre mappings
* updated name and investigation guide
2025-05-09 20:32:22 -04:00
0f3bfcd98a
Fix new term doc broken link ( #4706 )
2025-05-07 17:03:58 +05:30
36d595ae2f
[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce ( #4405 )
...
* Add exceptions for non-interactive signin failures.
Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:
- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled
* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
* Update metadata for `updated_date`
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-05-06 22:43:15 +05:30
a34a26ddec
[Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity ( #4700 )
...
* tuning rule to exclude service principals added by MSFT
* added additional exclusions
* updated rule name and file name
* updated investigation guide and mitre
2025-05-06 11:19:50 -04:00
f480e98f16
[New] Concurrent Azure SignIns with Suspicious Properties ( #4670 )
2025-05-06 13:09:54 +05:30
57be590d73
[New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User ( #4687 )
2025-05-06 12:41:57 +05:30
58d03d4043
[New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker ( #4695 )
...
* new rule 'Microsoft Entra ID SharePoint Access for User Principal via Auth Broker'
* updated severity
* added new terms note
2025-05-05 16:45:47 -04:00
dddc2a7bb9
[New] Microsoft 365 OAuth Redirect to Device Registration for User ( #4694 )
...
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal
https://github.com/elastic/ia-trade-team/issues/590
* Update non-ecs-schema.json
* Update pyproject.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* fixed investigation guide formatting; fixed unit test failure
* updated patch version
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-05-02 08:36:10 +01:00
ce66f52aad
[New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection ( #4689 )
...
* Adding new rule 'Microsoft Entra ID Protection Anonymized IP Risk Detection'
* updating description
* adding index
* updating mitre tactic mapping
* updating file name
2025-05-01 23:03:50 -04:00
bae7835f6a
[New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client ( #4642 )
...
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365
* changed m365 file name
* fixed duplicate tactics
* updaing non-ecs for graph activity logs
* updating rules; investigation guides; formatting, linting errors
2025-05-01 22:38:41 -04:00
ea31143b83
[New] Suspicious Azure Sign-in via Visual Studio Code ( #4639 )
...
* Create initial_access_entra_login_visual_code_phish.toml
* Update non-ecs-schema.json
* Update initial_access_entra_susp_visual_code_signin.toml
* Update pyproject.toml
* Update initial_access_entra_susp_visual_code_signin.toml
* Update non-ecs-schema.json
2025-04-23 14:06:05 +01:00
ba16e27edb
[Rule Tuning] Tuning Azure Service Principal Credentials Added ( #4570 )
...
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
2025-04-16 13:58:17 -04:00
1a6669e5a6
[Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User ( #4562 )
...
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'
* updated MITRE ATT&CK mappings
* updated index target
* updated patch version
* updating patch version
* bumping patch version
* updating patch version
2025-04-16 12:21:41 -04:00
c6e37d6910
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 ( #4557 )
...
* tuning Azure rule for illicit grant activity; creating new rule for M365
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
* adjusted tags
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
2025-03-27 15:55:04 -04:00
280140650a
tuning 'Azure Conditional Access Policy Modified' ( #4558 )
2025-03-27 15:43:46 -04:00
2f3f4fbdef
deprecating 'Azure Virtual Network Device Modified or Deleted' ( #4559 )
2025-03-27 10:09:34 -04:00
5e12f05a36
fixing double header in investigation notes ( #4490 )
2025-03-25 09:08:13 -04:00
Terrance DeJesus