Skip to content

[Rule Tuning] Azure Active Directory High Risk Sign-in => Also alert on failed #3585

New issue
New issue
Closed
#4739
Closed
[Rule Tuning] Azure Active Directory High Risk Sign-in => Also alert on failed#3585
#4739
Assignees
terrancedejesus
Labels
Domain: Cloud WorkloadsIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing rulebacklogcommunity
@willem-dhaese

Description

@willem-dhaese
willem-dhaese
opened on Apr 10, 2024

"Azure Active Directory High Risk Sign-in"

We noticed it's important to also alert on failed outcomes. Customers who don't want failed outcomes can exclude with an exception.

Link to rule

https://www.elastic.co/guide/en/security/current/azure-active-directory-high-risk-sign-in.html

Description

Current query:

event.dataset:azure.signinlogs and
  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and
  event.outcome:(success or Success)

Change to:

event.dataset:azure.signinlogs and
  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high)

Metadata

Metadata

Assignees

Labels

Domain: Cloud WorkloadsIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing rulebacklogcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions