-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Expand file tree
/
Copy pathSolution_AAD.json
More file actions
99 lines (98 loc) · 8.04 KB
/
Solution_AAD.json
File metadata and controls
99 lines (98 loc) · 8.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
{
"Name": "Microsoft Entra ID",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">",
"Description": "The [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
"Data Connectors": [
"Solutions/Microsoft Entra ID/Data Connectors/template_AzureActiveDirectory.json"
],
"Workbooks": [
"Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectoryAuditLogs.json",
"Solutions/Microsoft Entra ID/Workbooks/AzureActiveDirectorySignins.json"
],
"Analytic Rules": [
"Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AzureAADPowerShellAnomaly.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AzureADRoleManagementPermissionGrant.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/AzurePortalSigninfromanotherAzureTenant.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Brute Force Attack against GitHub Account.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/BulkChangestoPrivilegedAccountPermissions.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/CredentialAddedAfterAdminConsent.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/DistribPassCrackAttempt.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/ExplicitMFADeny.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/FailedLogonToAzurePortal.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/FirstAppOrServicePrincipalCredential.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_O365AttackToolkit.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/MaliciousOAuthApp_PwnAuth.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/MFARejectedbyUser.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NewOnmicrosoftDomainAdded.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NewAppOrServicePrincipalCredential.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NRT_ADFSDomainTrustMods.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/nrt_FirstAppOrServicePrincipalCredential.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NRT_NewAppOrServicePrincipalCredential.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NRT_PIMElevationRequestRejected.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/NRT_UseraddedtoPrivilgedGroups.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/PIMElevationRequestRejected.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/PossibleSignInfromAzureBackdoor.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/PrivilegedAccountsSigninFailureSpikes.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/RareApplicationConsent.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/Sign-in Burst from Multiple Locations.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SigninBruteForce-AzurePortal.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SigninPasswordSpray.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousServicePrincipalcreationactivity.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/UnusualGuestActivity.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml",
"Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml"
],
"Playbooks": [
"Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/alert-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/incident-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Prompt-User/alert-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Prompt-User/incident-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/alert-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/incident-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Block-AADUser/entity-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Reset-AADUserPassword/entity-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/alert-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/incident-trigger/azuredeploy.json",
"Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "3.2.10",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"StaticDataConnectorIds": [
"AzureActiveDirectory"
]
}