Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update the Analytic rule. 

Changes
- Added join kind
- Streamlined usage of parse_json
This commit is contained in:
rahul0216 2023-04-26 12:11:37 +05:30
Родитель 0599f87845
Коммит 3229588fc1
2 изменённых файлов: 9 добавлений и 6 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

13
Solutions/Cloud Identity Threat Protection Essentials/Analytic Rules/MFADisable.yaml
Просмотреть файл

@ -24,17 +24,20 @@ query: |
(union isfuzzy=true
(AuditLogs
| where OperationName =~ "Disable Strong Authentication"
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)),
tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))
| extend _parsedIntiatedByUser = parse_json(tostring(InitiatedBy.user))
| extend _parsedIntiatedByApp = parse_json(tostring(InitiatedBy.app))
| extend IPAddress = tostring(_parsedIntiatedByUser.ipAddress)
| extend InitiatedByUser = iff(isnotempty(tostring(_parsedIntiatedByUser.userPrincipalName)),
tostring(_parsedIntiatedByUser.userPrincipalName), tostring(_parsedIntiatedByApp.displayName))
| extend Targetprop = todynamic(TargetResources)
| extend TargetUser = tostring(Targetprop[0].userPrincipalName)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type
),
(AWSCloudTrail
| where EventName in~ ("DeactivateMFADevice", "DeleteVirtualMFADevice")
| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)
| extend TargetUser = tostring(parse_json(RequestParameters).userName)
| extend _parsedRequestParameters = parse_json(RequestParameters)
| extend InstanceProfileName = tostring(_parsedRequestParameters.InstanceProfileName)
| extend TargetUser = tostring(_parsedRequestParameters.userName)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress
)
)

2
Solutions/Cloud Identity Threat Protection Essentials/Analytic Rules/NewExtUserGrantedAdmin.yaml
Просмотреть файл

@ -45,7 +45,7 @@ query: |
| order by TimeGenerated
| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId
| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has "Invite external user"), redeem=(OperationName has "Redeem external user invite"), Target)
| join (
| join kind=innerunique (
AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in~ ("Assign", "AssignEligibleRole")