Merge pull request #9374 from Azure/origins/users/rahul/aad-rulefix

Update NRT_PIMElevationRequestRejected.yaml
Azure · Nov 13, 2023 · e74e14f · e74e14f
2 parents 6a668c9 + 0d5e686
commit e74e14f
Show file tree

Hide file tree

Showing 5 changed files with 9,034 additions and 9,452 deletions.
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml
@@ -17,8 +17,7 @@ tags:
   - AADSecOpsGuide
 query: |
   AuditLogs
-  | where ActivityDisplayName =~'Add member to role completed (PIM activation)'
-  | where Result =~ "failure"
+  | where ActivityDisplayName =~ 'Add member to role request denied (PIM activation)'
   | mv-apply ResourceItem = TargetResources on 
     (
         where ResourceItem.type =~ "Role"
@@ -51,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: InitiatingIpAddress
-version: 1.0.1
+version: 1.0.2
 kind: NRT
diff --git a/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json b/Solutions/Microsoft Entra ID/Data/system_generated_metadata.json
@@ -1,13 +1,13 @@
 {
   "Name": "Microsoft Entra ID",
   "Author": "Microsoft - support@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">",
   "Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
   "BasePath": "C:\\GitHub\\Azure-Sentinel",
+  "Version": "3.0.7",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true,
-  "Version": "3.0.7",
   "publisherId": "azuresentinel",
   "offerId": "azure-sentinel-solution-azureactivedirectory",
   "providers": [
@@ -41,5 +41,5 @@
     "Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json"
   ],
   "Workbooks": "[\n  \"AzureActiveDirectoryAuditLogs.json\",\n  \"AzureActiveDirectorySignins.json\"\n]",
-  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\",\n  \"SuspiciousSignInFollowedByMFAModification.yaml\"\n]"
+  "Analytic Rules": "[\n  \"AccountCreatedandDeletedinShortTimeframe.yaml\",\n  \"AccountCreatedDeletedByNonApprovedUser.yaml\",\n  \"ADFSDomainTrustMods.yaml\",\n  \"ADFSSignInLogsPasswordSpray.yaml\",\n  \"AdminPromoAfterRoleMgmtAppPermissionGrant.yaml\",\n  \"AnomalousUserAppSigninLocationIncrease-detection.yaml\",\n  \"AuthenticationMethodsChangedforPrivilegedAccount.yaml\",\n  \"AzureAADPowerShellAnomaly.yaml\",\n  \"AzureADRoleManagementPermissionGrant.yaml\",\n  \"AzurePortalSigninfromanotherAzureTenant.yaml\",\n  \"Brute Force Attack against GitHub Account.yaml\",\n  \"BruteForceCloudPC.yaml\",\n  \"BulkChangestoPrivilegedAccountPermissions.yaml\",\n  \"BypassCondAccessRule.yaml\",\n  \"CredentialAddedAfterAdminConsent.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationAdded.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationDeleted.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml\",\n  \"Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml\",\n  \"DisabledAccountSigninsAcrossManyApplications.yaml\",\n  \"DistribPassCrackAttempt.yaml\",\n  \"ExplicitMFADeny.yaml\",\n  \"ExchangeFullAccessGrantedToApp.yaml\",\n  \"FailedLogonToAzurePortal.yaml\",\n  \"FirstAppOrServicePrincipalCredential.yaml\",\n  \"GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml\",\n  \"MailPermissionsAddedToApplication.yaml\",\n  \"MaliciousOAuthApp_O365AttackToolkit.yaml\",\n  \"MaliciousOAuthApp_PwnAuth.yaml\",\n  \"MFARejectedbyUser.yaml\",\n  \"MFASpammingfollowedbySuccessfullogin.yaml\",\n  \"MultipleAdmin_membership_removals_from_NewAdmin.yaml\",\n  \"NewOnmicrosoftDomainAdded.yaml\",\n  \"NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_ADFSDomainTrustMods.yaml\",\n  \"NRT_AuthenticationMethodsChangedforVIPUsers.yaml\",\n  \"nrt_FirstAppOrServicePrincipalCredential.yaml\",\n  \"NRT_NewAppOrServicePrincipalCredential.yaml\",\n  \"NRT_PIMElevationRequestRejected.yaml\",\n  \"NRT_PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"NRT_UseraddedtoPrivilgedGroups.yaml\",\n  \"PIMElevationRequestRejected.yaml\",\n  \"PrivilegedAccountsSigninFailureSpikes.yaml\",\n  \"PrivlegedRoleAssignedOutsidePIM.yaml\",\n  \"RareApplicationConsent.yaml\",\n  \"SeamlessSSOPasswordSpray.yaml\",\n  \"Sign-in Burst from Multiple Locations.yaml\",\n  \"SigninAttemptsByIPviaDisabledAccounts.yaml\",\n  \"SigninBruteForce-AzurePortal.yaml\",\n  \"SigninPasswordSpray.yaml\",\n  \"SuccessThenFail_DiffIP_SameUserandApp.yaml\",\n  \"SuspiciousAADJoinedDeviceUpdate.yaml\",\n  \"SuspiciousOAuthApp_OfflineAccess.yaml\",\n  \"SuspiciousServicePrincipalcreationactivity.yaml\",\n  \"SuspiciousSignInFollowedByMFAModification.yaml\",\n  \"UnusualGuestActivity.yaml\",\n  \"UserAccounts-CABlockedSigninSpikes.yaml\",\n  \"UseraddedtoPrivilgedGroups.yaml\",\n  \"UserAssignedNewPrivilegedRole.yaml\",\n  \"UserAssignedPrivilegedRole.yaml\"\n]"
 }
diff --git a/Solutions/Microsoft Entra ID/Package/3.0.7.zip b/Solutions/Microsoft Entra ID/Package/3.0.7.zip
diff --git a/Solutions/Microsoft Entra ID/Package/createUiDefinition.json b/Solutions/Microsoft Entra ID/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Workbooks:** 2, **Analytic Rules:** 62, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Microsoft Entra ID. You can get Microsoft Entra ID custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",