[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)

* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <[email protected]>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <[email protected]>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <[email protected]>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <[email protected]>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: 3 people

rules/cross-platform/initial_access_azure_o365_with_network_alert.toml

@@ -2,12 +2,12 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip.
+This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address.
 Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
 resources.
 """
@@ -19,10 +19,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
+name = "M365 or Entra ID Identity Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating M365 or Entra ID Identity Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 
@@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
 | where @timestamp > now() - 8 hours
 // filter for azure or m365 sign-in and external alerts with source.ip not null
 | where to_ip(source.ip) is not null
-  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
+  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
   and not cidr_match(
     to_ip(source.ip),
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
@@ -93,13 +93,13 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
   )
 
 // capture relevant raw fields
-| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
+| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category
 
 // classify each source ip based on alert type
 | eval
   Esql.source_ip_mail_access_case = case(event.dataset == "o365.audit" and event.action == "MailItemsAccessed" and event.outcome == "success", to_ip(source.ip), null),
   Esql.source_ip_azure_signin_case = case(event.dataset == "azure.signinlogs" and event.outcome == "success", to_ip(source.ip), null),
-  Esql.source_ip_network_alert_case = case(kibana.alert.rule.name == "external alerts" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
+  Esql.source_ip_network_alert_case = case(kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa" and not event.dataset in ("o365.audit", "azure.signinlogs"), to_ip(source.ip), null)
 
 // aggregate by source ip
 | stats
@@ -109,7 +109,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
     Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
     Esql.event_dataset_count_distinct = count_distinct(event.dataset),
     Esql.event_dataset_values = values(event.dataset),
-    Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
+    Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),
     Esql.event_category_values = values(event.category)
   by Esql.source_ip = to_ip(source.ip)
 

…harepoint_access_for_user_principal.toml …harepoint_access_for_user_principal.tomlrules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml renamed to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml renamed to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/07"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
+name = "Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
+### Investigating Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 

rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -18,10 +18,10 @@ from = "now-9m"
 index = ["logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+name = "Microsoft Graph Request Email Access by Unusual User and Client"
 note = """## Triage and analysis
 
-### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
+### Investigating Microsoft Graph Request Email Access by Unusual User and Client
 
 This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
 

rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/02"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/02"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode"
+name = "Entra ID OAuth Device Code Flow with Concurrent Sign-ins"
 note = """## Triage and analysis
 
-### Investigating Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode
+### Investigating Entra ID OAuth Device Code Flow with Concurrent Sign-ins
 
 ### Possible investigation steps
 

rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Sign-In Brute Force Activity"
+name = "Entra ID User Sign-in Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Sign-In Brute Force Activity
+### Investigating Entra ID User Sign-in Brute Force Attempted
 
 This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response.
 

rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml

@@ -4,7 +4,7 @@ integration = ["azure"]
 maturity = "production"
 min_stack_version = "9.0.0"
 min_stack_comments = "Bug fix in threshold rules."
-updated_date = "2025/12/08"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -24,10 +24,10 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"]
 interval = "30m"
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Excessive Account Lockouts Detected"
+name = "Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Excessive Account Lockouts Detected
+### Investigating Entra ID Excessive Account Lockouts Detected
 
 This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.
 

…ra_signin_brute_force_microsoft_365.toml …id_signin_brute_force_microsoft_365.tomlrules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml renamed to rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml renamed to rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 Brute Force via Entra ID Sign-Ins"
+name = "Entra ID Sign-in Brute Force Attempted (Microsoft 365)"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins
+### Investigating Entra ID Sign-in Brute Force Attempted (Microsoft 365)
 
 Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage.
 

…ccess_azure_entra_suspicious_signin.toml …l_access_entra_id_suspicious_signin.tomlrules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml renamed to rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml renamed to rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties"
+name = "Entra ID Concurrent Sign-in with Suspicious Properties"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
+### Investigating Entra ID Concurrent Sign-in with Suspicious Properties
 
 ### Possible investigation steps
 

…ure_entra_totp_brute_force_attempts.toml …_entra_id_totp_brute_force_attempts.tomlrules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml renamed to rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml renamed to rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/12/11"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID MFA TOTP Brute Force Attempts"
+name = "Entra ID MFA TOTP Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts
+### Investigating Entra ID MFA TOTP Brute Force Attempted
 
 This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code.
 

…azure_key_vault_excessive_retrieval.toml …ccess_key_vault_excessive_retrieval.tomlrules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml renamed to rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml renamed to rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/14"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 interval = "8m"
 language = "esql"
 license = "Elastic License v2"
-name = "Excessive Secret or Key Retrieval from Azure Key Vault"
+name = "Azure Key Vault Excessive Secret or Key Retrieved"
 note = """## Triage and analysis
 
-### Investigating Excessive Secret or Key Retrieval from Azure Key Vault
+### Investigating Azure Key Vault Excessive Secret or Key Retrieved
 
 Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.