[Rule Tuning] Update Azure / M365 Rule Names and File Paths

[terrancedejesus]

We want to standardize rule titles across Azure, Entra ID, and Microsoft 365 to ensure consistency, clarity, and alignment with platform/service terminology. The following guidelines should be applied going forward:

Platform Prefix

Always start with the platform name:

• Azure → Covers cloud infrastructure (compute, storage, networking, automation, etc.)
• Entra ID → Covers identity, authentication, and authorization
• M365 → Covers SaaS-specific activity (Exchange, SharePoint, Teams, Graph, etc.)
• Do not duplicate platform names in the middle or suffix of titles.

Service or Domain Context

• After the platform, specify the service or functional area:
  • Examples: Automation, Blob Storage, Key Vault, Kubernetes Services (AKS), OAuth, Conditional Access Policy
• Abbreviations are acceptable only if they are industry-standard (e.g., AKS, PIM, MFA).

Action or Behavior

Use a clear action-oriented phrase:

• Created / Deleted / Modified / Updated for config changes
• Sign-in / Request / Execution / Detected for operational or behavioral activity
• Excessive / Rare / Suspicious for anomaly-driven detections
• Prefer Created or Modified over “Created/Modified” to avoid slashes.

Entity or Object Affected

• Specify the object in scope:
  • Examples: Runbook, Webhook, Authorization Rule, Role Assignment, Secret, VM Command
• Use singular unless the detection clearly applies to multiple objects (e.g., “Pods Deleted”).

Anomaly/Heuristic Qualifiers

• Place qualifiers at the end of the title for clarity:
  • Examples: by Rare User, with Suspicious Properties, via Refresh Token, with Rare Client
• Keep heuristic descriptions short and consistent.

Consistency Rules

• Use Title Case (capitalize major words, lowercase minor words unless acronym).
• Avoid redundant words (e.g., don’t repeat “Azure” in both prefix and service).

While adjusting rule names, file paths should be adjusted as well as these typically reflect the rule name.

[terrancedejesus]

1. Azure Automation Account Created
2. Azure Automation Runbook Created or Modified
3. Azure Automation Runbook Deleted
4. Azure Automation Webhook Created
5. Azure Blob Storage Container Access Level Modified
6. Azure Blob Storage Permissions Modified
7. Azure Compute VM Command Executed
8. Azure Diagnostic Settings Alert Suppression Rule Created or Modified
9. Azure Diagnostic Settings Settings Deleted
10. Azure Event Hub Authorization Rule Created or Updated
11. Azure Event Hub Deleted
12. Azure Key Vault Excessive Secret or Key Retrieved
13. Azure Key Vault Modified
14. Azure Key Vault Unusual Secret Key Usage
15. Azure Kubernetes Services (AKS) Kubernetes Events Deleted
16. Azure Kubernetes Services (AKS) Kubernetes Pods Deleted
17. Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
18. Azure Resource Group Deleted
19. Azure Storage Account Key Regenerated
20. Azure Storage Account Keys Accessed by Privileged User
21. Azure VNet Firewall Frontdoor WAF Policy Deleted
22. Azure VNet Firewall Policy Deleted
23. Azure VNet Full Network Packet Capture Enabled
24. Azure VNet Network Watcher Deleted
25. Entra ID ADRS Token Request by Microsoft Authentication Broker
26. Entra ID Application Credential Modified
27. Entra ID Concurrent Sign-in with Suspicious Properties
28. Entra ID Conditional Access Policy (CAP) Modified
29. Entra ID Device Registration Detected (ROADtools)
30. Entra ID Elevated Access to User Access Administrator
31. Entra ID Excessive Account Lockouts Detected
32. Entra ID External Authentication Methods (EAM) Modified
33. Entra ID External Guest User Invited
34. Entra ID Global Administrator Role Assigned
35. Entra ID Global Administrator Role Assigned (PIM User)
36. Entra ID High Risk Sign-in
37. Entra ID High Risk User Sign-in Heuristic
38. Entra ID Illicit Consent Grant via Registered Application
39. Entra ID MFA Disabled for User
40. Entra ID MFA TOTP Brute Force Attempted
41. Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
42. Entra ID OAuth Device Code Grant by Unusual User
43. Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
44. Entra ID OAuth Flow by Visual Studio Code to Microsoft Graph
45. Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected
46. Entra ID OAuth ROPC Grant Login Detected
47. Entra ID OAuth User Impersonation by Client
48. Entra ID OAuth User Impersonation to Microsoft Graph
49. Entra ID OIDC Discovery URL Modified
50. Entra ID PowerShell Sign-in
51. Entra ID Privileged Identity Management (PIM) Role Modified
52. Entra ID Protection - Risk Detection - Sign-in Risk
53. Entra ID Protection - Risk Detection - User Risk
54. Entra ID Protection Alerts for User Detected
55. Entra ID Protection User Alert and Device Registration
56. Entra ID Service Principal Created
57. Entra ID Service Principal Credentials Created by Unusual User
58. Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client
59. Entra ID Sign-in BloodHound Suite User-Agent Detected
60. Entra ID Sign-in Brute Force Attempt (Microsoft 365)
61. Entra ID Sign-in TeamFiltration User-Agent Detected
62. Entra ID User Added as Registered Application Owner
63. Entra ID User Added as Service Principal Owner
64. Entra ID User Reported Suspicious Activity
65. Entra ID User Sign-in  with Unusual Authentication Type
66. Entra ID User Sign-in Brute Force Attempted
67. Entra ID User Sign-in with Unusual Client
68. Entra ID User Sign-in with Unusual Registered Device
69. Microsoft Graph Request Email Access by Unusual User and Client
70. Microsoft Graph Request User Impersonation by Unusual Client

[terrancedejesus]

1. Microsoft 365 Exchange Anti-Phish Policy Deleted
2. Microsoft 365 Exchange Anti-Phish Rule Modification
3. Microsoft 365 Exchange DKIM Signing Configuration Disabled
4. Microsoft 365 Exchange DLP Policy Deleted
5. Microsoft 365 Exchange Email Safe Attachment Rule Disabled
6. Microsoft 365 Exchange Email Safe Link Policy Disabled
7. Microsoft 365 Exchange Federated Domain Created or Modified
8. Microsoft 365 Exchange Inbox Forwarding Rule Created
9. Microsoft 365 Exchange Inbox Phishing Evasion Rule Created
10. Microsoft 365 Exchange Mail Flow Transport Rule Created
11. Microsoft 365 Exchange Mail Flow Transport Rule Modified
12. Microsoft 365 Exchange Mailbox Accessed by Unusual Client
13. Microsoft 365 Exchange Mailbox Audit Logging Bypass Added
14. Microsoft 365 Exchange Mailbox High-Risk Permission Delegated
15. Microsoft 365 Exchange Mailbox Items Accessed Excessively
16. Microsoft 365 Exchange Malware Filter Policy Deleted
17. Microsoft 365 Exchange Malware Filter Rule Modified
18. Microsoft 365 Exchange Management Group Role Assigned
19. Microsoft 365 Identity Excessive SSO Login Errors Reported
20. Microsoft 365 Identity Global Administrator Role Assigned
21. Microsoft 365 Identity OAuth Flow by Rare Client to Microsoft Graph
22. Microsoft 365 Identity OAuth Flow by User Sign-in to Device Registration
23. Microsoft 365 Identity OAuth Flow by Visual Studio Code Client to Microsoft Graph
24. Microsoft 365 Identity OAuth Illicit Consent Grant by Rare Client and User
25. Microsoft 365 Identity Portal Login (Atypical Travel)
26. Microsoft 365 Identity Portal Login (Impossible Travel)
27. Microsoft 365 Identity User Account Lockouts
28. Microsoft 365 Identity User Brute Force Attempt
29. Microsoft 365 OneDrive Excessive File Downloads with OAuth Token
30. Microsoft 365 OneDrive Malware File Upload
31. Microsoft 365 Security Compliance Email Reported by User as Malware or Phish
32. Microsoft 365 Security Compliance Potential Ransomware Activity
33. Microsoft 365 Security Compliance Unusual Volume of File Deletion
34. Microsoft 365 Security Compliance User Restricted from Sending Email
35. Microsoft 365 SharePoint Malware File Detected
36. Microsoft 365 Teams Custom Application Interaction Enabled
37. Microsoft 365 Teams External Access Enabled
38. Microsoft 365 Teams Guest Access Enabled
39. Microsoft 365 Threat Intelligence Signal