Merge pull request #821 from Azure/missingconnectorId-fixes

Missing connector id, datatypes and yaml file extension fixes

Detections/AzureDevOps/AzDOAdminGroupAdditions.yaml

@@ -2,6 +2,10 @@ id: 89e6adbd-612c-4fbe-bc3d-32f81baf3b6c
 name: Azure DevOps Administrator Group Monitoring
 description: |
   'This detection monitors for additions to project or project collection administration groups in an Azure DevOps Organization.'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 severity: High
 queryFrequency: 2h
 queryPeriod: 4h

Detections/AzureDevOps/AzDOHistoricPrPolicyBypassing.yaml

@@ -2,6 +2,10 @@ id: 4d8de9e6-263e-4845-8618-cd23a4f58b70
 name: Azure DevOps Pull Request Policy Bypassing - Historic Allowlist
 description: |
   'This detection builds a Allowlist of historic PR policy bypasses and compares to recent history, flagging a non manually allowlisted, non historic pull request bypass.'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 severity: Medium
 queryFrequency: 2h
 queryPeriod: 14d

Detections/AzureDevOps/AzDOHistoricServiceConnectionAdds.yaml

@@ -3,6 +3,10 @@ name: Azure DevOps Service Conection Addition/Abuse - Historic Allowlist
 description: |
   'This detection builds a allowlist of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use in non manually allowlisted, non historically allowlisted Build/Release runs.
   This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 severity: High
 queryFrequency: 2h
 queryPeriod: 14d

Detections/AzureDevOps/AzDOPatSessionMisuse.yaml

@@ -5,6 +5,10 @@ description: |
   Use this query for baselining:
   AzureDevOpsAuditing
   | distinct OperationName'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 severity: High
 queryFrequency: 1h
 queryPeriod: 3h

Detections/AzureDevOps/AzDOServiceConnectionUsage.yaml

@@ -3,6 +3,10 @@ name: Azure DevOps Service Conection Abuse
 description: |
   'This detection flags builds/releases that use a large number of service connections if they aren't manually allowlisted.
   This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 severity: High
 queryFrequency: 2h
 queryPeriod: 14d

Hunting Queries/AzureActivity/Rare_Custom_Script_Extension.yaml

@@ -4,6 +4,10 @@ description: |
      'The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration or management tasks. 
       Scripts could be downloaded from external links, Azure storage, GitHub, or provided to the Azure portal at extension run time. This could also be used maliciously by an attacker. 
       The query tries to identify rare custom script extensions that have been executed in your envioenment'
+requiredDataConnectors:
+  - connectorId: AzureActivity
+    dataTypes:
+      - AzureActivity
 tactics:
   - Execution
 relevantTechniques:

Hunting Queries/AzureDevOps/AzDODisplayNameSwapping.yaml

@@ -2,6 +2,10 @@ id: cf0c493b-a8af-4b32-8c7e-d4303f3a406f
 name: Azure DevOps Display Name Changes
 description: |
   'Description:  Shows all users with more than 1 display name in recent history.  This is to hunt for users maliciously changing their display name as a masquerading technique'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 tactics:
   - Evasion
   - PrivilegeEscalation

Hunting Queries/AzureDevOps/AzDOPrPolicyBypassers.yaml

@@ -2,6 +2,10 @@ id: df205daf-fcf3-4b95-a7fd-043b70f6c209
 name: Azure DevOps Pull Request Policy Bypassing
 description: |
   'Description:  Looks for users bypassing Update Policies in repos'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
 tactics:
   - Execution
 relevantTechniques:

Hunting Queries/SigninLogs/MFAUserBlocked.yaml

@@ -2,6 +2,10 @@ id: 75fd68a2-9ed4-4a1c-8bd7-18efe4c99081
 name: Login attempt by Blocked MFA user
 description: |
   'An account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Azure AD.'
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - SigninLogs
 tactics:
   - InitialAccess
 relevantTechniques: