Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AzureAD Updated Detections #2729

Merged
merged 110 commits into from
Aug 18, 2023
Merged

AzureAD Updated Detections #2729

merged 110 commits into from
Aug 18, 2023

Conversation

mvelazc0
Copy link
Contributor

@mvelazc0 mvelazc0 commented Jun 16, 2023
edited by gowthamarajr
Loading

Details

This PR updates 25 Azure AD detections to use the latest schema provided by the Splunk Add-on for Microsoft Cloud Services in its latest versions.

Updated Detections

  • Azure AD Global Administrator Role Assigned
  • Azure AD Multiple Users Failing To Authenticate From Ip
  • Azure AD Service Principal Owner Added
  • Azure AD Unusual Number of Failed Authentications From Ip
  • Azure AD Service Principal Created
  • Azure AD Privileged Role Assigned
  • Azure AD Privileged Authentication Administrator Role Assigned
  • Azure AD Application Administrator Role Assigned
  • Azure AD Multi-Factor Authentication Disabled
  • Azure AD External Guest User Invited
  • Azure AD User Enabled And Password Reset
  • Azure AD Service Principal New Client Credentials
  • Azure AD New Federated Domain Added
  • Azure AD New Custom Domain Added
  • Azure AD Successful Single-Factor Authentication
  • Azure AD Authentication Failed During MFA Challenge
  • Azure AD Successful PowerShell Authentication
  • Azure AD Multiple Failed MFA Requests For User
  • Azure AD User ImmutableId Attribute Updated
  • Azure Active Directory High Risk Sign-in

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

@mvelazc0 mvelazc0 added the WIP DO NOT MERGE Work in Progress label Jun 21, 2023
mvelazc0 and others added 21 commits August 17, 2023 14:46
@mvelazc0
update message
47fbcfd
@mvelazc0
update query
7ff518f
@mvelazc0
fixing issues
f6047ac
@srv-rr-gh-researchbt
Branch was auto-updated.
5939c50
@gowthamarajr
Update detections/cloud/azure_ad_multiple_failed_mfa_requests_for_use…
9edfbee 
…r.yml
@patel-bhavin
Update azure_ad_multiple_failed_mfa_requests_for_user.yml
fd55707
@srv-rr-gh-researchbt
Branch was auto-updated.
ff60972
@gowthamarajr
Update author
df18286
@gowthamarajr
Merge branch 'TR-3196_AzureAD' of https://github.com/splunk/security_…
bfa588e 
…content into TR-3196_AzureAD
@srv-rr-gh-researchbt
Branch was auto-updated.
9b95b43
@srv-rr-gh-researchbt
Branch was auto-updated.
05d6a8a
@gowthamarajr
Edit SPL for Observable
cca6bb2
@srv-rr-gh-researchbt
Branch was auto-updated.
3aac2c2
@srv-rr-gh-researchbt
Branch was auto-updated.
373e597
@srv-rr-gh-researchbt
Branch was auto-updated.
b2b8202
@srv-rr-gh-researchbt
Branch was auto-updated.
91eb7d6
@patel-bhavin
spl fixes
0eb0f1f
@srv-rr-gh-researchbt
Branch was auto-updated.
95a1bad
@pyth0n1c
Fix notable typo user_name to user_arm
949e5ed
@pyth0n1c
Merge branch 'TR-3196_AzureAD' of https://github.com/splunk/security_…
57af013 
…content into TR-3196_AzureAD
@srv-rr-gh-researchbt
Branch was auto-updated.
7c26020
@patel-bhavin patel-bhavin merged commit 59d4918 into develop Aug 18, 2023
25 checks passed
@delete-merged-branch delete-merged-branch bot deleted the TR-3196_AzureAD branch August 18, 2023 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@P4T12ICK P4T12ICK Awaiting requested review from P4T12ICK

Assignees
No one assigned
Labels
4.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mvelazc0 @patel-bhavin @srv-rr-gh-researchbt @gowthamarajr @pyth0n1c