Azure · v-atulyadav · Jan 13, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
@@ -2,7 +2,7 @@ id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
 name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
 description: |
     This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
-    This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.
+    This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.
 severity: Low
 requiredDataConnectors:
   - connectorId: SquidProxy
@@ -49,7 +49,7 @@ customDetails:
 alertDetailsOverride:
     alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
     alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled
 metadata:
     source:

@@ -1,7 +1,7 @@
 id: 2790795b-7dba-483e-853f-44aa0bc9c985
 name: Wazuh - Large Number of Web errors from an IP
 description: |
-  'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst'
+  'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/index.html'
 severity: Low
 requiredDataConnectors: []
 queryFrequency: 1d
@@ -31,7 +31,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIP
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
 metadata:
     source:

@@ -3,7 +3,7 @@ name: ADFS DKM Master Key Export
 description: | 
   'Identifies an export of the ADFS DKM Master Key from Active Directory.
   References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, 
-  https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1
+  https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
   To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
   https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469
   https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
@@ -85,7 +85,7 @@ entityMappings:
     fieldMappings:
       - identifier: ResourceId
         columnName: _ResourceId
-version: 1.2.1
+version: 1.2.2
 kind: Scheduled
 metadata:
     source:

@@ -7,7 +7,6 @@ description: |
         Failed to resolve scalar expression named "[@Name]"
    For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.
    The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.
-   - ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
    - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml'
 severity: Medium
 requiredDataConnectors:
@@ -158,7 +157,7 @@ entityMappings:
         columnName: HostName
       - identifier: NTDomain
         columnName: HostNameDomain
-version: 1.1.3
+version: 1.1.4
 kind: Scheduled
 metadata:
     source:

@@ -4,7 +4,7 @@ description: |
    'This query detects modification in the AdminSDHolder  in the Active Directory which could indicate an attempt for persistence. 
    AdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.
    This query searches for the event id 5136 where the Object DN is AdminSDHolder.
-   Ref: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence'
+   Ref: https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/adminsdholder-attack/'
 severity: High
 requiredDataConnectors:
   - connectorId: SecurityEvents
@@ -43,7 +43,7 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: HostNameDomain
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
 metadata:
     source:

@@ -4,7 +4,7 @@ description: |
   'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. 
   This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 
   This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel
-  can be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs
+  can be found here: https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@@ -35,7 +35,7 @@ entityMappings:
         columnName: HostName
       - identifier: DnsDomain
         columnName: HostNameDomain
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:

@@ -4,8 +4,7 @@ description: |
   'Amazon Relational Database Service (RDS) is scalable relational database in the cloud.
   If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)
   Once alerts triggered, validate if changes observed are authorized and adhere to change control policy.
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 
-  and RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html'
+  RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html'
 severity: Low
 status: Available
 requiredDataConnectors:
@@ -47,5 +46,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
@@ -2,9 +2,8 @@ id: 65360bb0-8986-4ade-a89d-af3cf44d28aa
 name: Changes to Amazon VPC settings
 description: |
   'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
-  This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 
-  and AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html'
+  This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. 
+  AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html'
 severity: Low
 status : Available
 requiredDataConnectors:
@@ -50,5 +49,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.6
+version: 1.0.7
 kind: Scheduled
@@ -2,8 +2,7 @@ id: 4f19d4e3-ec5f-4abc-9e61-819eb131758c
 name: Changes to AWS Security Group ingress and egress settings
 description: |
   'A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.
-   Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. '
+   Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. '
 severity: Low
 status: Available
 requiredDataConnectors:
@@ -47,5 +46,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
@@ -3,8 +3,7 @@ name: Changes to AWS Elastic Load Balancer security groups
 description: |
   'Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.
    Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and  hence needs monitoring.
-   More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 
-   and https://aws.amazon.com/elasticloadbalancing/. '
+   More information: https://aws.amazon.com/elasticloadbalancing/. '
 severity: Low
 status: Available
 requiredDataConnectors:
@@ -48,5 +47,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
@@ -5,7 +5,7 @@ description: |
   Identifies when existing role is removed and new/existing high privileged role is added to instance profile. 
   Any instance with this instance profile attached is able to perform privileged operations.
   AWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html 
-  and CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment '
+  and CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/cloudgoat/scenarios/aws/iam_privesc_by_attachment '
 requiredDataConnectors:
   - connectorId: AWS
     dataTypes:

@@ -74,7 +74,7 @@
             "name": "dataconnectors3-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Amazon Web Services. You can get Amazon Web Services data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Amazon Web Services S3 WAF. You can get Amazon Web Services S3 WAF data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -180,7 +180,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html"
+                  "text": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud.\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy.\nRDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html"
                 }
               }
             ]
@@ -194,7 +194,7 @@
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html"
+                  "text": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways. \nAWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html"
                 }
               }
             ]
@@ -278,7 +278,7 @@
                 "name": "analytic8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. "
+                  "text": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors. "
                 }
               }
             ]
@@ -292,7 +292,7 @@
                 "name": "analytic9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and  hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/. "
+                  "text": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and  hence needs monitoring.\n More information: https://aws.amazon.com/elasticloadbalancing/. "
                 }
               }
             ]
@@ -1086,7 +1086,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.\nIdentifies when existing role is removed and new/existing high privileged role is added to instance profile. \nAny instance with this instance profile attached is able to perform privileged operations.\nAWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html \nand CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment  This hunting query depends on AWS AWSS3 data connector (AWSCloudTrail AWSCloudTrail Parser or Table)"
+                  "text": "An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.\nIdentifies when existing role is removed and new/existing high privileged role is added to instance profile. \nAny instance with this instance profile attached is able to perform privileged operations.\nAWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html \nand CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/cloudgoat/scenarios/aws/iam_privesc_by_attachment  This hunting query depends on AWS AWSS3 data connector (AWSCloudTrail AWSCloudTrail Parser or Table)"
                 }
               }
             ]