diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml similarity index 89% rename from Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml rename to Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml index 54564c8b840..51cd652ce66 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml @@ -1,7 +1,7 @@ id: 3fbc20a4-04c4-464e-8fcb-6667f53e4987 -name: Brute force attack against a Cloud PC +name: Brute force attack against an Entra-authenticated Windows device description: | - 'Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.' + 'Identifies evidence of brute force activity against Windows devices authenticated via Entra ID (including Entra-joined, hybrid-joined, and Windows 365 Cloud PCs) by detecting multiple authentication failures followed by a successful authentication within a defined time window.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory @@ -66,5 +66,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddressFirst -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json index d8406fb3428..c38f199d2b6 100644 --- a/Solutions/Microsoft Entra ID/Data/Solution_AAD.json +++ b/Solutions/Microsoft Entra ID/Data/Solution_AAD.json @@ -23,7 +23,7 @@ "Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml", - "Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml", + "Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml", "Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml", diff --git a/Solutions/Microsoft Entra ID/Package/3.3.12.zip b/Solutions/Microsoft Entra ID/Package/3.3.12.zip new file mode 100644 index 00000000000..1835deaa6b3 Binary files /dev/null and b/Solutions/Microsoft Entra ID/Package/3.3.12.zip differ diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json index 6ab806b95ee..460aa685824 100644 --- a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json +++ b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json @@ -328,13 +328,13 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "Brute force attack against a Cloud PC", + "label": "Brute force attack against an Entra-authenticated Windows device", "elements": [ { "name": "analytic12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window." + "text": "Identifies evidence of brute force activity against Windows devices authenticated via Entra ID (including Entra-joined, hybrid-joined, and Windows 365 Cloud PCs) by detecting multiple authentication failures followed by a successful authentication within a defined time window." } } ] diff --git a/Solutions/Microsoft Entra ID/Package/mainTemplate.json b/Solutions/Microsoft Entra ID/Package/mainTemplate.json index 5268753a8d2..4801ab25d35 100644 --- a/Solutions/Microsoft Entra ID/Package/mainTemplate.json +++ b/Solutions/Microsoft Entra ID/Package/mainTemplate.json @@ -65,7 +65,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Entra ID", - "_solutionVersion": "3.3.11", + "_solutionVersion": "3.3.12", "solutionId": "azuresentinel.azure-sentinel-solution-azureactivedirectory", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AzureActiveDirectory", @@ -174,11 +174,11 @@ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06','-', '2.0.2')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "2.0.1", + "analyticRuleVersion12": "2.0.2", "_analyticRulecontentId12": "3fbc20a4-04c4-464e-8fcb-6667f53e4987", "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3fbc20a4-04c4-464e-8fcb-6667f53e4987')]", "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3fbc20a4-04c4-464e-8fcb-6667f53e4987')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.1')))]" + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3fbc20a4-04c4-464e-8fcb-6667f53e4987','-', '2.0.2')))]" }, "analyticRuleObject13": { "analyticRuleVersion13": "1.0.7", @@ -710,7 +710,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Entra ID data connector with template version 3.3.11", + "description": "Microsoft Entra ID data connector with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1089,7 +1089,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectoryAuditLogs Workbook with template version 3.3.11", + "description": "AzureActiveDirectoryAuditLogs Workbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1177,7 +1177,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureActiveDirectorySignins Workbook with template version 3.3.11", + "description": "AzureActiveDirectorySignins Workbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1265,7 +1265,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ConditionalAccessSISM Workbook with template version 3.3.11", + "description": "ConditionalAccessSISM Workbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -1365,7 +1365,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AccountCreatedandDeletedinShortTimeframe_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1550,7 +1550,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AccountCreatedDeletedByNonApprovedUser_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1696,7 +1696,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1842,7 +1842,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "ADFSSignInLogsPasswordSpray_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1946,7 +1946,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AdminPromoAfterRoleMgmtAppPermissionGrant_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2129,7 +2129,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AnomalousUserAppSigninLocationIncrease-detection_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2210,8 +2210,8 @@ "Application": "AppDisplayName" }, "alertDetailsOverride": { - "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n", - "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}" + "alertDisplayNameFormat": "Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}", + "alertDescriptionFormat": "This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an\nindividual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} \ndifferent locations.\n" } } }, @@ -2266,7 +2266,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AuthenticationMethodsChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2415,7 +2415,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AzureAADPowerShellAnomaly_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2551,7 +2551,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AzureADRoleManagementPermissionGrant_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2713,7 +2713,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AzurePortalSigninfromanotherAzureTenant_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2791,8 +2791,8 @@ } ], "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n", - "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}" + "alertDisplayNameFormat": "Azure Portal sign in by {{UserPrincipalName}} from another Azure Tenant with IP Address {{IPAddress}}", + "alertDescriptionFormat": "This query looks for successful sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\nand the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\nto pivot to other tenants leveraging cross-tenant delegated access in this manner.\nIn this instance {{UserPrincipalName}} logged in at {{FirstSeen}} from IP Address {{IPAddress}}.\n" } } }, @@ -2847,7 +2847,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Brute Force Attack against GitHub Account_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2983,7 +2983,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BruteForceCloudPC_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "BruteForceAgainstanEntraAuthenticatedWindowsDevice_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -2997,8 +2997,8 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.", - "displayName": "Brute force attack against a Cloud PC", + "description": "Identifies evidence of brute force activity against Windows devices authenticated via Entra ID (including Entra-joined, hybrid-joined, and Windows 365 Cloud PCs) by detecting multiple authentication failures followed by a successful authentication within a defined time window.", + "displayName": "Brute force attack against an Entra-authenticated Windows device", "enabled": false, "query": "let authenticationWindow = 20m;\nlet sensitivity = 2.5;\nSigninLogs\n| where AppDisplayName =~ \"Windows Sign In\"\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\"), IPAddresses = make_set(IPAddress,1000)\n by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName\n| extend FailureSuccessDiff = FailureCount - SuccessCount\n| where FailureSuccessDiff > 0\n| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit') \n| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff\n| join kind=leftouter (\n SigninLogs\n | where AppDisplayName =~ \"Windows Sign In\"\n | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n | summarize StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n IPAddresses = make_set(IPAddress,100), \n OS = make_set(OS,20), \n Browser = make_set(Browser,20), \n City = make_set(City,100), \n ResultType = make_set(ResultType,100)\n by UserDisplayName, UserPrincipalName, UserId, AppDisplayName\n ) on UserDisplayName, UserPrincipalName\n| project-away UserDisplayName1, UserPrincipalName1\n| extend IPAddressFirst = tostring(IPAddresses[0])\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n", "queryFrequency": "P1D", @@ -3098,7 +3098,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", - "displayName": "Brute force attack against a Cloud PC", + "displayName": "Brute force attack against an Entra-authenticated Windows device", "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" @@ -3113,7 +3113,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "BulkChangestoPrivilegedAccountPermissions_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3280,7 +3280,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "BypassCondAccessRule_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3418,7 +3418,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "CredentialAddedAfterAdminConsent_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3612,7 +3612,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Cross-tenantAccessSettingsOrganizationAdded_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3764,7 +3764,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Cross-tenantAccessSettingsOrganizationDeleted_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -3916,7 +3916,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4068,7 +4068,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4220,7 +4220,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4372,7 +4372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4524,7 +4524,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "DisabledAccountSigninsAcrossManyApplications_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4651,7 +4651,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "DistribPassCrackAttempt_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -4769,7 +4769,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "ExplicitMFADeny_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -4924,7 +4924,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "ExchangeFullAccessGrantedToApp_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5014,13 +5014,13 @@ } ], "customDetails": { + "OAuthApplication": "OAuthAppName", "OAuthAppId": "AppId", - "UserAgent": "InitiatingUserAgent", - "OAuthApplication": "OAuthAppName" + "UserAgent": "InitiatingUserAgent" }, "alertDetailsOverride": { - "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n", - "alertDisplayNameFormat": "User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}" + "alertDisplayNameFormat": "User or App {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}}", + "alertDescriptionFormat": "This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent.\nThis permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data \nby being added to a compromised application. The application granted this permission should be reviewed to ensure that it \nis absolutely necessary for the applications function.\nIn this case {{GrantInitiatedBy}} granted full_access_as_app to {{OAuthAppName}} from {{InitiatingIpAddress}}\nRef: https://learn.microsoft.com/graph/auth-limit-mailbox-access\n" } } }, @@ -5075,7 +5075,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "FailedLogonToAzurePortal_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5202,7 +5202,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5353,7 +5353,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5531,7 +5531,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "MailPermissionsAddedToApplication_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5670,7 +5670,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "MaliciousOAuthApp_O365AttackToolkit_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -5820,7 +5820,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "MaliciousOAuthApp_PwnAuth_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -5961,7 +5961,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "MFARejectedbyUser_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6106,7 +6106,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "MFASpammingfollowedbySuccessfullogin_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6227,7 +6227,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "MultipleAdmin_membership_removals_from_NewAdmin_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6383,7 +6383,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NewOnmicrosoftDomainAdded_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -6485,8 +6485,8 @@ "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose.", - "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}" + "alertDisplayNameFormat": "{{DomainAdded}} added to tenant by {{ActionInitiatedBy}}", + "alertDescriptionFormat": "This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing accounts. Domain additions are not a common occurrence and users should validate that {{ActionInitiatedBy}} added {{DomainAdded}} with a legitimate purpose." } } }, @@ -6541,7 +6541,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -6683,7 +6683,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NRT_ADFSDomainTrustMods_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -6821,7 +6821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NRT_AuthenticationMethodsChangedforVIPUsers_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -6973,7 +6973,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "nrt_FirstAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -7111,7 +7111,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NRT_NewAppOrServicePrincipalCredential_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7250,7 +7250,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NRT_PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7405,7 +7405,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NRT_PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -7560,7 +7560,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "NRT_UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -7714,7 +7714,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "PIMElevationRequestRejected_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -7873,7 +7873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleSignInfromAzureBackdoor_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "PossibleSignInfromAzureBackdoor_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -7939,13 +7939,13 @@ } ], "customDetails": { - "DomainAdded": "DomainName", - "DomainAddedTime": "DomainAddedTime", - "ResourceDisplayName": "ResourceDisplayName", "AppDisplayName": "AppDisplayName", - "SignInTime": "SignInTime", "InitiatedBy": "InitiatedBy", - "ModifiedProperties": "ModifiedProperties" + "DomainAdded": "DomainName", + "SignInTime": "SignInTime", + "ResourceDisplayName": "ResourceDisplayName", + "ModifiedProperties": "ModifiedProperties", + "DomainAddedTime": "DomainAddedTime" } } }, @@ -8000,7 +8000,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "PrivilegedAccountsSigninFailureSpikes_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -8136,7 +8136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "PrivlegedRoleAssignedOutsidePIM_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -8295,7 +8295,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "RareApplicationConsent_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -8427,7 +8427,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SeamlessSSOPasswordSpray_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -8548,7 +8548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Sign-in Burst from Multiple Locations_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -8666,7 +8666,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SigninAttemptsByIPviaDisabledAccounts_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -8784,7 +8784,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SigninBruteForce-AzurePortal_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", @@ -8920,7 +8920,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SigninPasswordSpray_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]", @@ -9030,7 +9030,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SuccessThenFail_DiffIP_SameUserandApp_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]", @@ -9180,7 +9180,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SuspiciousAADJoinedDeviceUpdate_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]", @@ -9294,8 +9294,8 @@ } ], "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n", - "alertDisplayNameFormat": "Suspicious Entra ID Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed" + "alertDisplayNameFormat": "Suspicious Entra ID Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed", + "alertDescriptionFormat": "This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n" } } }, @@ -9350,7 +9350,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SuspiciousOAuthApp_OfflineAccess_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]", @@ -9489,7 +9489,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SuspiciousServicePrincipalcreationactivity_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]", @@ -9640,7 +9640,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "SuspiciousSignInFollowedByMFAModification_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject58').analyticRuleVersion58]", @@ -9768,8 +9768,8 @@ "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { - "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n", - "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}" + "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}", + "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n" } } }, @@ -9824,7 +9824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "UnusualGuestActivity_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject59').analyticRuleVersion59]", @@ -9995,7 +9995,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "UserAccounts-CABlockedSigninSpikes_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject60').analyticRuleVersion60]", @@ -10137,7 +10137,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "UseraddedtoPrivilgedGroups_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject61').analyticRuleVersion61]", @@ -10295,7 +10295,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "UserAssignedNewPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject62').analyticRuleVersion62]", @@ -10454,7 +10454,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "UserAssignedPrivilegedRole_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject63').analyticRuleVersion63]", @@ -10613,7 +10613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureRBAC_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "AzureRBAC_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject64').analyticRuleVersion64]", @@ -10679,10 +10679,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT5H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -10738,7 +10738,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access Device platforms condition has changed (the Device platforms condition can be spoofed)_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject65').analyticRuleVersion65]", @@ -10802,10 +10802,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -10861,7 +10861,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access app exclusion has changed_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access app exclusion has changed_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject66').analyticRuleVersion66]", @@ -10922,10 +10922,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -10981,7 +10981,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access policy was deleted_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access policy was deleted_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject67').analyticRuleVersion67]", @@ -11045,10 +11045,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11104,7 +11104,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access policy was disabled_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access policy was disabled_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject68').analyticRuleVersion68]", @@ -11168,10 +11168,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11227,7 +11227,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access policy was put into report-only mode_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access policy was put into report-only mode_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject69').analyticRuleVersion69]", @@ -11291,10 +11291,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT5M", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11350,7 +11350,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access policy was updated_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access policy was updated_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject70').analyticRuleVersion70]", @@ -11411,10 +11411,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11470,7 +11470,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A Conditional Access usergrouprole exclusion has changed_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A Conditional Access usergrouprole exclusion has changed_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject71').analyticRuleVersion71]", @@ -11534,10 +11534,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11593,7 +11593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - A new Conditional Access policy was created_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - A new Conditional Access policy was created_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject72').analyticRuleVersion72]", @@ -11657,10 +11657,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT1H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11716,7 +11716,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Conditional Access - Dynamic Group Exclusion Changes_AnalyticalRules Analytics Rule with template version 3.3.11", + "description": "Conditional Access - Dynamic Group Exclusion Changes_AnalyticalRules Analytics Rule with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject73').analyticRuleVersion73]", @@ -11777,10 +11777,10 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": false, "reopenClosedIncident": false, - "matchingMethod": "AllEntities", "lookbackDuration": "PT5H", - "enabled": false + "matchingMethod": "AllEntities" } } } @@ -11836,7 +11836,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-EntraIDUser-Alert Playbook with template version 3.3.11", + "description": "Block-EntraIDUser-Alert Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -12280,7 +12280,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-EntraIDUser-Incident Playbook with template version 3.3.11", + "description": "Block-EntraIDUser-Incident Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -12706,7 +12706,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Alert Playbook with template version 3.3.11", + "description": "Prompt-User-Alert Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -13142,7 +13142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Prompt-User-Incident Playbook with template version 3.3.11", + "description": "Prompt-User-Incident Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -13561,7 +13561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-EntraIDPassword-AlertTrigger Playbook with template version 3.3.11", + "description": "Reset-EntraIDPassword-AlertTrigger Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -13962,7 +13962,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-EntraIDPassword-IncidentTrigger Playbook with template version 3.3.11", + "description": "Reset-EntraIDPassword-IncidentTrigger Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -14346,7 +14346,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Block-EntraIDUser-EntityTrigger Playbook with template version 3.3.11", + "description": "Block-EntraIDUser-EntityTrigger Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -14808,7 +14808,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Reset-EntraIDUserPassword-EntityTrigger Playbook with template version 3.3.11", + "description": "Reset-EntraIDUserPassword-EntityTrigger Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -15214,7 +15214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-EntraIDSignInSessions-alert Playbook with template version 3.3.11", + "description": "Revoke-EntraIDSignInSessions-alert Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -15547,7 +15547,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-EntraIDSignInSessions-incident Playbook with template version 3.3.11", + "description": "Revoke-EntraIDSignInSessions-incident Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -15858,7 +15858,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Revoke-EntraIDSignIn-Session-entityTrigger Playbook with template version 3.3.11", + "description": "Revoke-EntraIDSignIn-Session-entityTrigger Playbook with template version 3.3.12", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -16092,7 +16092,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.3.11", + "version": "3.3.12", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Entra ID", @@ -16565,7 +16565,7 @@ { "kind": "Watchlist", "contentId": "[variables('_ConditionalAccessBenignStatusCodes')]", - "version": "3.3.11" + "version": "3.3.12" } ] }, diff --git a/Solutions/Microsoft Entra ID/ReleaseNotes.md b/Solutions/Microsoft Entra ID/ReleaseNotes.md index c34f2fa7979..8003e7aa5c9 100644 --- a/Solutions/Microsoft Entra ID/ReleaseNotes.md +++ b/Solutions/Microsoft Entra ID/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | ----------- | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| 3.3.12 | 28-04-2026 | Renamed analytic rule from **BruteForceCloudPC** to **BruteForceAgainstEntraAuthenticatedWindowsDevice** and updated name and description in **Analytic Rule** to reflect detection scope across all Entra-authenticated Windows devices (including Entra-joined, hybrid-joined, and Windows 365 Cloud PCs), resolving ambiguity around Cloud PC specificity | | 3.3.11 | 13-04-2026 | Added **Watchlist** ConditionalAccessBenignStatusCodes and updated **BypassCondAccessRule** analytic rule | | 3.3.10 | 12-04-2026 | Updated **AccountCreatedandDeletedinShortTimeframe** analytic rule to extend query period to 7 days, normalize UPN parsing, and use immutable UserId for improved detection accuracy and evasion resistance | | 3.3.9 | 23-02-2026 | Updated **Block-AADUser Incident** trigger to fix the permissions for disable user block |