-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure AD Identity Protection Rules #4423
Conversation
Summary of the Pull Request Adds the majority of azure identity protection rules. Detailed Description of the Pull Request / Additional Comments We have a few additional event types that still need to be added after doing some internal validation. Example Log Event See https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0#riskeventtype-values for specific events Fixed Issues Spelling fix on anomalous_token.yml from protectection to protection. Co-Authored-By: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Adding new title to not conflict with existing rule Co-Authored-By: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml
Outdated
Show resolved
Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml
Outdated
Show resolved
Hide resolved
@MarkMorow Didn't wanna commit the suggestions. Left that to you in case you have feedback. |
@nasbench I tried to name them as the same names they are in the Identity Protection console for ease of use. If you think these make more sense for this community that's fine with me. |
I noticed that. I only changed the ones that were too generic to link to Azure. Since in a detection pipeline where the title is one of the first things you see. Having an alert such as "suspicious browser" for example isn't indicative of much. Other than that everything else LGTM. Thanks for the contribution 🙏 |
Summary of the Pull Request
Adds the majority of azure identity protection rules.
Detailed Description of the Pull Request / Additional Comments We have a few additional event types that still need to be added after doing some internal validation.
Example Log Event
See https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0#riskeventtype-values for specific events
Fixed Issues
Spelling fix on anomalous_token.yml from protectection to protection.
Summary of the Pull Request
Changelog
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions