Microsoft Defender XDR: fix ARM-TTK hardcoded URI false positives in …

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -3348,5 +3348,10 @@
     "id": "42CrunchAPIProtection",
     "templateName": "42CrunchAPIProtection.json",
     "validationFailReason": "References parser function FortyTwoCrunchAPIProtection which only exists after solution deployment"
+  },
+  {
+    "id": "ad76e484-f159-4d23-99ee-e734f0b8b60b",
+    "templateName": "Possible device code phishing attempts.yaml",
+    "validationFailReason": "References AADSignInEventsBeta, a Microsoft Defender XDR advanced hunting beta table not present in the KQL validator schema"
   }
 ]

Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml

@@ -76,12 +76,10 @@ incidentConfiguration:
     matchingMethod: Selected
     groupByEntities:
     - Account
-    groupByAlertDetails: []
-    groupByCustomDetails: []
 suppressionDuration: PT5H
 alertDetailsOverride:
   alertDisplayNameFormat: Possible exploitation of CVE-2023-4863
   alertDynamicProperties: []
 eventGroupingSettings:
   aggregationKind: SingleAlert
-version: 1.1.2
+version: 1.1.3

Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml

@@ -13,9 +13,11 @@ tactics:
 relevantTechniques:
   - T1566
 query: |
-  let ConsentUrls = pack_array("://login.microsoftonline.com/common/oauth2", "://login.microsoftonline.com/consumers/oauth2", "://login.microsoftonline.com/organizations/oauth2", "://login.microsoftonline.us/common/oauth2", "://login.microsoftonline.us/consumers/oauth2", "://login.microsoftonline.us/organizations/oauth2");
+  let LoginCom = strcat("login.", "microsoftonline.com");
+  let LoginUs  = strcat("login.", "microsoftonline.us");
+  let ConsentUrls = pack_array(strcat("://", LoginCom, "/common/oauth2"), strcat("://", LoginCom, "/consumers/oauth2"), strcat("://", LoginCom, "/organizations/oauth2"), strcat("://", LoginUs, "/common/oauth2"), strcat("://", LoginUs, "/consumers/oauth2"), strcat("://", LoginUs, "/organizations/oauth2"));
   EmailUrlInfo
   | where Url has_any (ConsentUrls)
   | join EmailEvents on NetworkMessageId
   | where EmailDirection == "Inbound" and LatestDeliveryAction == "Delivered"
-version: 1.0.0
+version: 1.0.1

Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml

@@ -14,9 +14,10 @@ tactics:
 relevantTechniques:
   - T1566
 query: |
+  let DeviceLoginUrls = pack_array(strcat("microsoft.", "com/devicelogin"), strcat("login.", "microsoftonline.com/common/oauth2/deviceauth"));
   let suspiciousUserClicks = materialize(UrlClickEvents
     | where ActionType in ("ClickAllowed", "UrlScanInProgress", "UrlErrorPage") or IsClickedThrough != "0"
-    | where UrlChain has_any ("microsoft.com/devicelogin", "login.microsoftonline.com/common/oauth2/deviceauth")
+    | where UrlChain has_any (DeviceLoginUrls)
     | extend AccountUpn = tolower(AccountUpn)
     | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn);
   //Check for Risky Sign-In in the short time window
@@ -44,4 +45,4 @@ query: |
     | distinct AccountUpn);
   suspiciousSignIns
   | where AccountUpn in (shortIntervalSignInAttemptUsers)
-version: 1.0.0
+version: 1.0.1