Add Conditional Access SISM Workbook for Microsoft Entra ID

[Cyberlorians]

Required items, please complete

Change(s):

• Added ConditionalAccessSISM.json workbook to Solutions/Microsoft Entra ID/Workbooks/
• New comprehensive Conditional Access monitoring workbook for Microsoft Sentinel
• Provides real-time insights into CA policies using AuditLogs and SigninLogs
• Includes user monitoring, workload identity analysis, and emergency account tracking

Reason for Change(s):

• Enhances Microsoft Entra ID solution set with specialized Conditional Access monitoring capabilities
• Addresses gap in comprehensive CA policy analysis and monitoring tools
• Provides administrators with actionable insights for Zero Trust implementation
• Supports both user accounts and workload identities in CA policy evaluation

Version Updated:

• N/A (New workbook submission, not updating existing detection/analytic rule)

Testing Completed:

• Yes - Workbook has been tested in Microsoft Sentinel environment
• Validated with AuditLogs and SigninLogs data sources
• Confirmed compatibility with Log Analytics workspace queries
• Tested across multiple CA policy scenarios and configurations
• All KQL queries execute successfully without custom parsers or functions

Checked that the validations are passing and have addressed any issues that are present:

• Yes - Workbook follows standard JSON structure for Microsoft Sentinel workbooks
• All queries use standard Microsoft Entra ID log tables (AuditLogs, SigninLogs, AADServicePrincipalSignInLogs, AADRiskyServicePrincipals)
• No custom parsers or functions required
• Workbook structure aligns with existing Microsoft Entra ID workbooks in the repository

[Cyberlorians]

This CI failure appears to be a validation pipeline issue. According to the Microsoft Sentinel Solutions Packaging Tool documentation, workbooks are valid solution components that should not be validated against detection template schemas.

The validation pipeline is incorrectly requiring TTP fields (tactics, techniques, relevantTechniques) for workbook files. Per the official guidance, workbooks have separate validation requirements and should be excluded from detection-specific schema checks.

Could a maintainer please review the CI validation configuration to properly handle workbook files?

[v-atulyadav]

Hi @Cyberlorians,

Please remove the fallbackResourceIds, and also ensure that the fromTemplate value is something other than "sentinel-UserWorkbook", as indicated by the error. Thanks

[Cyberlorians]

changes were made

[Cyberlorians]

Hi. What's the new failure issue now?

[v-atulyadav]

Hi. What's the new failure issue now?

You can ignore this

[Cyberlorians]

Great. Thanks. Is everything else ok? When can I expect it to be published?

[v-atulyadav]

Hi @Cyberlorians,
Please add workbook metadata in below mentioned path and then kindly proceed with packaging this solution. Thanks
https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

[Cyberlorians]

I updated the metadata.json. I do not know how to package this. Very confusing. The packaging solution does not lay this out for a non coder or for workbooks. If this cannot be published please contact me on TEAMS at [email protected]. Please and thank you.

[Cyberlorians]

Evening, is there any possibility of you helping me? Please contact on msft teams channel. [email protected]

I do not know how to package and I need to get this workbook in place. Going forward I would be grateful if someone could show me

[v-atulyadav]

Hi @Cyberlorians,
Please update the workbook metadata as suggested above. We will take care of the packaging. Thanks

[Cyberlorians]

Thank you and I did I believe last week. Would you verify it's updated?

[v-atulyadav]

Hi @Cyberlorians,
I haven't seen any metadata updates for this workbook. Please confirm on your end. Thanks
https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

[v-atulyadav]

Hi @Cyberlorians,
Please proceed with the request mentioned above. Thanks

[v-atulyadav]

Hi @Cyberlorians,
We are awaiting your response on the request above. Thanks

[Cyberlorians]

new pr Add Conditional Access Insights Workbook for Microsoft Entra ID #13313