Merge pull request #9461 from tduarte14/patch-5

Add new entities for the Security Group
Azure · Nov 28, 2023 · e6d9703 · e6d9703
2 parents 05ebeaa + 9130021
commit e6d9703
Show file tree

Hide file tree

Showing 5 changed files with 112 additions and 92 deletions.
diff --git a/...osoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml b/...osoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
@@ -63,5 +63,11 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: InitiatedByIPAdress
-version: 1.0.4
+  - entityType: SecurityGroup
+    fieldMappings:
+      - identifier: DistinguishedName
+        columnName: AADGroup
+      - identifier: ObjectGuid
+        columnName: AADGroupId
+version: 1.0.5
 kind: Scheduled
diff --git a/Solutions/Microsoft Entra ID/Package/3.0.9.zip b/Solutions/Microsoft Entra ID/Package/3.0.9.zip
diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json
@@ -880,7 +880,7 @@
                 "name": "analytic52-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes."
+                  "text": "Identifies evidence of password spray activity against Microsoft Entra ID applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 1 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes."
                 }
               }
             ]