Back Id a3df4a32-4805-4c6d-8699-f3c888af2f67 Rulename Correlate Unfamiliar sign-in properties & atypical travel alerts Description The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident. Severity High Tactics InitialAccess Techniques T1078 Required data connectors AzureActiveDirectoryIdentityProtection
BehaviorAnalytics Kind Scheduled Query frequency 1d Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7 Rulename Cross-Cloud Suspicious user activity observed in GCP Envourment Description This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.
Back Id 39efbf4b-b347-4cc7-895e-99a868bf29ea Rulename Dataverse - Guest user exfiltration following Power Platform defense impairment Description Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment’s access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.
Note: Activate other Dataverse analytics rules with the MITRE tactic ‘Exfiltration’ before enabling this rule.
Back Id d875af10-6bb9-4d6a-a6e4-78439a98bf4b Rulename Dataverse - Suspicious use of TDS endpoint Description Identifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target environment. Severity Low Tactics Exfiltration
InitialAccess Techniques T1048
T1190 Required data connectors AzureActiveDirectoryIdentityProtection
Dataverse Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id de039242-47e0-43fa-84d7-b6be24305349 Rulename Dataverse - Terminated employee exfiltration over email Description This query identifies Dataverse exfiltration via email by terminated employees. Severity High Tactics Exfiltration Techniques T1639
T1567 Required data connectors AzureActiveDirectoryIdentityProtection
IdentityInfo
MicrosoftThreatProtection Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration over email.yaml Version 3.2.0 Arm template de039242-47e0-43fa-84d7-b6be24305349.json
KQL // Note this detection relies upon the user's UPN matching their email address.
Back Id a4fb4255-f55b-4c24-b396-976ee075d406 Rulename Insider Risk_High User Security Alert Correlations Description This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Microsoft Sentinel and Microsoft Defender XDR. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold.
Back Id 28a75d10-9b75-4192-9863-e452c3ad24db Rulename Insider Risk_High User Security Incidents Correlation Description This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products with Microsoft Incident Generating Products (Microsoft Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization’s requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents.
Back Id 4bd7e93a-0646-4e02-8dcb-aa16d16618f4 Rulename Power Apps - Multiple users access a malicious link after launching new app Description Identifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL. Severity High Tactics InitialAccess Techniques T1189
T1566 Required data connectors AzureActiveDirectoryIdentityProtection
MicrosoftDefenderThreatIntelligence
MicrosoftThreatProtection
PowerPlatformAdmin
ThreatIntelligence
ThreatIntelligenceTaxii Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 188db479-d50a-4a9c-a041-644bae347d1f Rulename Successful AWS Console Login from IP Address Observed Conducting Password Spray Description This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.
Back Id b51fe620-62ad-4ed2-9d40-5c97c0a8231f Rulename Suspicious AWS console logins by credential access alerts Description This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.
