Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD Identity Protection Rules #4423

Merged
merged 4 commits into from
Sep 6, 2023
Merged

Azure AD Identity Protection Rules #4423

merged 4 commits into from
Sep 6, 2023

Conversation

MarkMorow
Copy link
Contributor

Summary of the Pull Request
Adds the majority of azure identity protection rules.

Detailed Description of the Pull Request / Additional Comments We have a few additional event types that still need to be added after doing some internal validation.

Example Log Event
See https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0#riskeventtype-values for specific events

Fixed Issues
Spelling fix on anomalous_token.yml from protectection to protection.

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

MarkMorow and others added 2 commits September 3, 2023 10:02
@MarkMorow @gleeiamglo
Azure AD Identity Protection Rules
e1e285c 
Summary of the Pull Request
Adds the majority of azure identity protection rules.

Detailed Description of the Pull Request / Additional Comments
We have a few additional event types that still need to be added after doing some internal validation.

Example Log Event
See https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0#riskeventtype-values for specific events

Fixed Issues
Spelling fix on anomalous_token.yml from protectection to protection.

Co-Authored-By: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
@MarkMorow @gleeiamglo
Update azure_identity_protection_inbox_forwarding_rule.yml
6741d0d 
Adding new title to not conflict with existing rule

Co-Authored-By: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
@nasbench nasbench self-assigned this Sep 3, 2023
@nasbench nasbench self-requested a review September 3, 2023 19:22
@nasbench nasbench added Rules Cloud Pull request add/update cloud related rules labels Sep 3, 2023
nasbench
nasbench reviewed Sep 3, 2023
View reviewed changes
rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml Outdated Show resolved Hide resolved
rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml Outdated Show resolved Hide resolved
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Sep 3, 2023
@nasbench
Copy link
Member

nasbench commented Sep 4, 2023

@MarkMorow Didn't wanna commit the suggestions. Left that to you in case you have feedback.

@MarkMorow
Copy link
Contributor Author

@nasbench I tried to name them as the same names they are in the Identity Protection console for ease of use. If you think these make more sense for this community that's fine with me.

@nasbench
Copy link
Member

nasbench commented Sep 4, 2023

I noticed that. I only changed the ones that were too generic to link to Azure. Since in a detection pipeline where the title is one of the first things you see. Having an alert such as "suspicious browser" for example isn't indicative of much.

Other than that everything else LGTM.

Thanks for the contribution 🙏

@nasbench nasbench merged commit efe2c9b into SigmaHQ:master Sep 6, 2023
10 checks passed
@nasbench nasbench removed the 2nd Review Needed PR need a second approval label Sep 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@phantinuss phantinuss phantinuss approved these changes

Assignees

@nasbench nasbench

Labels
Cloud Pull request add/update cloud related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MarkMorow @nasbench @phantinuss