From 56a4aa613568189b4ed30bfcbd2e84bc82b4527d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Sebasti=C3=A1n=20Can=C3=B3s?= Date: Wed, 10 Nov 2021 14:52:27 +0100 Subject: [PATCH] =?UTF-8?q?Update=20Azure=20IP=20Ranges=20and=20Service=20?= =?UTF-8?q?Tags=20=E2=80=93=20Public=20Cloud=20Link?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml b/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml index 2dd0d779f3..dd907a1c8a 100644 --- a/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml +++ b/Detections/SigninLogs/AzurePortalSigninfromanotherAzureTenant.yaml @@ -19,8 +19,9 @@ relevantTechniques: - T1199 query: | // Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time) + // You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519 let azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic) - ["https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211018.json"] + ["https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json"] with(format='multijson') | mv-expand values | mv-expand values.properties.addressPrefixes