Azure · v-atulyadav · Nov 8, 2023 · Oct 19, 2023 · Oct 20, 2023 · Oct 25, 2023
@@ -2,7 +2,7 @@
   "Name": "Business Email Compromise - Financial Fraud",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "[Business Email Compromise (BEC)](https://www.microsoft.com/en-in/security/business/security-101/what-is-business-email-compromise-bec?rtc=1) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.\n\nThis content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage [Microsoft 365 Defender provides across Microsoft Defender products](https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption).\n\nIn order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:<ul>\n\n<li> Azure Active Directory solution for Sentinel\n\n</li><li>Microsoft 365 solution for Sentinel\n\n</li><li>Amazon Web Services\n\n</li><li>Microsoft 365 Defender\n\n</li><li>Okta Single Sign On\n\n</li></ul>",
+  "Description": "[Business Email Compromise (BEC)](https://www.microsoft.com/en-in/security/business/security-101/what-is-business-email-compromise-bec?rtc=1) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.\n\nThis content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage [Microsoft Defender XDR provides across Microsoft Defender products](https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption).\n\nIn order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:<ul>\n\n<li> Microsoft Entra ID solution for Sentinel\n\n</li><li>Microsoft 365 solution for Sentinel\n\n</li><li>Amazon Web Services\n\n</li><li>Microsoft Defender XDR\n\n</li><li>Okta Single Sign On\n\n</li></ul>",
   "Analytic Rules": [
     "Analytic Rules/AccountElevatedtoNewRole.yaml",
     "Analytic Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml",

@@ -1,9 +1,9 @@
 id: 41fa6e2d-afe9-4398-9356-cec3a927e44e
-name: Azure Active Directory signins from new locations
+name: Microsoft Entra ID signins from new locations
 description: |
     'This query identifies new Azure AD sign-in locations compared to historical data, potentially indicating password spraying or brute force attacks. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.'
 description_detailed: |
-  'New Azure Active Directory signin locations today versus historical Azure Active Directory signin data.
+  'New Microsoft Entra ID signin locations today versus historical Microsoft Entra ID signin data.
   In the case of password spraying or brute force attacks one might see authentication attempts for many
   accounts from a new location. This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics
   for contextual information around the results.'

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Business Email Compromise (BEC)](https://www.microsoft.com/en-in/security/business/security-101/what-is-business-email-compromise-bec?rtc=1) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.\n\nThis content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage [Microsoft 365 Defender provides across Microsoft Defender products](https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption).\n\nIn order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:<ul>\n\n<li> Azure Active Directory solution for Microsoft Sentinel\n\n</li><li>Microsoft 365 solution for Microsoft Sentinel\n\n</li><li>Amazon Web Services\n\n</li><li>Microsoft 365 Defender\n\n</li><li>Okta Single Sign On\n\n</li></ul>\n\n**Analytic Rules:** 7, **Hunting Queries:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Business Email Compromise (BEC)](https://www.microsoft.com/en-in/security/business/security-101/what-is-business-email-compromise-bec?rtc=1) attacks often aim to commit financial fraud by locating sensitive payment or invoice details and using these to hijack legitimate transactions. This solution, in combination with other solutions listed below, provide a range of content to help detect and investigate BEC attacks at different stages of the attack cycle, and across multiple data sources including AWS, SAP, Okta, Dynamics 365, Microsoft Entra ID, Microsoft 365 and network logs.\n\nThis content covers all stages of the attack chain from an initial phishing attack vector, establishing persistence to an environment, locating and collecting sensitive financial information from data stores, and then perpetrating and hiding their fraud. This range of content complements the coverage [Microsoft Defender XDR provides across Microsoft Defender products](https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption).\n\nIn order to gain the most comprehensive coverage possible customers should deploy the content included in this solution as well as content from the following solutions:<ul>\n\n<li> Microsoft Entra ID solution for Microsoft Sentinel\n\n</li><li>Microsoft 365 solution for Microsoft Sentinel\n\n</li><li>Amazon Web Services\n\n</li><li>Microsoft Defender XDR\n\n</li><li>Okta Single Sign On\n\n</li></ul>\n\n**Analytic Rules:** 7, **Hunting Queries:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -258,7 +258,7 @@
           {
             "name": "huntingquery5",
             "type": "Microsoft.Common.Section",
-            "label": "Azure Active Directory signins from new locations",
+            "label": "Microsoft Entra ID signins from new locations",
             "elements": [
               {
                 "name": "huntingquery5-text",
@@ -390,4 +390,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-}
+}