elastic · terrancedejesus · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025 · Oct 1, 2025
diff --git a/...sharepoint_access_for_user_principal.toml → ...sharepoint_access_for_user_principal.toml b/...sharepoint_access_for_user_principal.toml → ...sharepoint_access_for_user_principal.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/07"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
+name = "Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
+### Investigating Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 

diff --git a/.../integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/.../integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -18,10 +18,10 @@ from = "now-9m"
 index = ["logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+name = "Microsoft Graph Request Email Access by Unusual User and Client"
 note = """## Triage and analysis
 
-### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
+### Investigating Microsoft Graph Request Email Access by Unusual User and Client
 
 This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
 

diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Sign-In Brute Force Activity"
+name = "Entra ID User Sign-in Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Sign-In Brute Force Activity
+### Investigating Entra ID User Sign-in Brute Force Attempted
 
 This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response.
 

diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Exccessive Account Lockouts Detected"
+name = "Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected
+### Investigating Entra ID Excessive Account Lockouts Detected
 
 This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.
 

diff --git a/...tra_signin_brute_force_microsoft_365.toml → ..._id_signin_brute_force_microsoft_365.toml b/...tra_signin_brute_force_microsoft_365.toml → ..._id_signin_brute_force_microsoft_365.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 Brute Force via Entra ID Sign-Ins"
+name = "Entra ID Sign-in Brute Force Attempt (Microsoft 365)"
-name = "Entra ID Sign-in Brute Force Attempt (Microsoft 365)"
+name = "Entra ID Sign-in Brute Force Attempted (Microsoft 365)"
-name = "Entra ID Sign-in Brute Force Attempt (Microsoft 365)"
+name = "Entra ID Sign-in Brute Force Attempted (Microsoft 365)"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins
+### Investigating Entra ID Sign-in Brute Force Attempt (Microsoft 365)
-### Investigating Entra ID Sign-in Brute Force Attempt (Microsoft 365)
+### Investigating Entra ID Sign-in Brute Force Attempted (Microsoft 365)
-### Investigating Entra ID Sign-in Brute Force Attempt (Microsoft 365)
+### Investigating Entra ID Sign-in Brute Force Attempted (Microsoft 365)
 
 Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage.
 

diff --git a/...access_azure_entra_suspicious_signin.toml → ...al_access_entra_id_suspicious_signin.toml b/...access_azure_entra_suspicious_signin.toml → ...al_access_entra_id_suspicious_signin.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties"
+name = "Entra ID Concurrent Sign-in with Suspicious Properties"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
+### Investigating Entra ID Concurrent Sign-in with Suspicious Properties
 
 ### Possible investigation steps
 

diff --git a/...zure_entra_totp_brute_force_attempts.toml → ...s_entra_id_totp_brute_force_attempts.toml b/...zure_entra_totp_brute_force_attempts.toml → ...s_entra_id_totp_brute_force_attempts.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/12/11"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID MFA TOTP Brute Force Attempts"
+name = "Entra ID MFA TOTP Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts
+### Investigating Entra ID MFA TOTP Brute Force Attempted
 
 This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code.
 

diff --git a/..._azure_key_vault_excessive_retrieval.toml → ...access_key_vault_excessive_retrieval.toml b/..._azure_key_vault_excessive_retrieval.toml → ...access_key_vault_excessive_retrieval.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 interval = "8m"
 language = "esql"
 license = "Elastic License v2"
-name = "Excessive Secret or Key Retrieval from Azure Key Vault"
+name = "Azure Key Vault Excessive Secret or Key Retrieved"
 note = """## Triage and analysis
 
-### Investigating Excessive Secret or Key Retrieval from Azure Key Vault
+### Investigating Azure Key Vault Excessive Secret or Key Retrieved
 
 Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
 

diff --git a/...y_vault_retrieval_from_rare_identity.toml → ...y_vault_retrieval_from_rare_identity.toml b/...y_vault_retrieval_from_rare_identity.toml → ...y_vault_retrieval_from_rare_identity.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/22"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.platformlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Key Vault Secret Key Usage by Unusual Identity"
+name = "Azure Key Vault Unusual Secret Key Usage"
 note = """## Triage and analysis
 
-### Investigating Azure Key Vault Secret Key Usage by Unusual Identity
+### Investigating Azure Key Vault Unusual Secret Key Usage
 
 Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
 

diff --git a/...full_network_packet_capture_detected.toml → ...full_network_packet_capture_detected.toml b/...full_network_packet_capture_detected.toml → ...full_network_packet_capture_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/08/12"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Austin Songer"]
@@ -23,13 +23,13 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Full Network Packet Capture Detected"
+name = "Azure VNet Full Network Packet Capture Enabled"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Full Network Packet Capture Detected
+### Investigating Azure VNet Full Network Packet Capture Enabled
 
 Azure's Packet Capture is a feature of Network Watcher that allows for the inspection of network traffic, useful for diagnosing network issues. However, if misused, it can capture sensitive data from unencrypted traffic, posing a security risk. Adversaries might exploit this to access credentials or other sensitive information. The detection rule identifies suspicious packet capture activities by monitoring specific Azure activity logs for successful operations, helping to flag potential misuse.
 

diff --git a/...ion_azure_automation_runbook_deleted.toml → ...e_evasion_automation_runbook_deleted.toml b/...ion_azure_automation_runbook_deleted.toml → ...e_evasion_automation_runbook_deleted.toml
diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -21,13 +21,13 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Event Hub Deletion"
+name = "Azure Event Hub Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Event Hub Deletion
+### Investigating Azure Event Hub Deleted
 
 Azure Event Hub is a scalable data streaming platform and event ingestion service, crucial for processing large volumes of data in real-time. Adversaries may target Event Hubs to delete them, aiming to disrupt data flow and evade detection by erasing evidence of their activities. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential defense evasion attempts by identifying unauthorized or suspicious deletions.
 

diff --git a/...n_azure_diagnostic_settings_deletion.toml → ...nsights_diagnostic_settings_deletion.toml b/...n_azure_diagnostic_settings_deletion.toml → ...nsights_diagnostic_settings_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -22,13 +22,13 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Diagnostic Settings Deletion"
+name = "Azure Diagnostic Settings Settings Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Diagnostic Settings Deletion
+### Investigating Azure Diagnostic Settings Settings Deleted
 
 Azure Diagnostic Settings are crucial for monitoring and logging platform activities, sending data to various destinations for analysis. Adversaries may delete these settings to hinder detection and analysis of their activities, effectively evading defenses. The detection rule identifies such deletions by monitoring specific Azure activity logs for successful deletion operations, flagging potential defense evasion attempts.
 

diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Austin Songer"]
@@ -22,13 +22,13 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Kubernetes Events Deleted"
+name = "Azure Kubernetes Services (AKS) Kubernetes Events Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Kubernetes Events Deleted
+### Investigating Azure Kubernetes Services (AKS) Kubernetes Events Deleted
 
 Azure Kubernetes Service (AKS) manages containerized applications using Kubernetes, which logs events like state changes. These logs are crucial for monitoring and troubleshooting. Adversaries may delete these logs to hide their tracks, impairing defenses. The detection rule identifies such deletions by monitoring specific Azure activity logs, flagging successful deletion operations to alert security teams of potential evasion tactics.
 

diff --git a/...nse_evasion_firewall_policy_deletion.toml → ...ion_network_firewall_policy_deletion.toml b/...nse_evasion_firewall_policy_deletion.toml → ...ion_network_firewall_policy_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -21,13 +21,13 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Firewall Policy Deletion"
+name = "Azure VNet Firewall Policy Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Firewall Policy Deletion
+### Investigating Azure VNet Firewall Policy Deleted
 
 Azure Firewall policies are crucial for managing and enforcing network security rules across Azure environments. Adversaries may target these policies to disable security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors Azure activity logs for successful deletion operations of firewall policies, signaling potential defense evasion attempts by identifying specific operation names and outcomes.
 

diff --git a/...n_frontdoor_firewall_policy_deletion.toml → ...k_frontdoor_firewall_policy_deletion.toml b/...n_frontdoor_firewall_policy_deletion.toml → ...k_frontdoor_firewall_policy_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/08/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/30"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Austin Songer"]
@@ -23,15 +23,15 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted"
+name = "Azure VNet Firewall Front Door WAF Policy Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Frontdoor Web Application Firewall (WAF) Policy Deleted
+### Investigating Azure VNet Firewall Front Door WAF Policy Deleted
 
-Azure Frontdoor WAF policies are crucial for protecting web applications by filtering and monitoring HTTP requests to block malicious traffic. Adversaries may delete these policies to bypass security measures, facilitating unauthorized access or data exfiltration. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, signaling potential defense evasion attempts.
+Azure Front Door WAF policies are crucial for protecting web applications by filtering and monitoring HTTP requests to block malicious traffic. Adversaries may delete these policies to bypass security measures, facilitating unauthorized access or data exfiltration. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, signaling potential defense evasion attempts.
 
 ### Possible investigation steps
 

diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -22,13 +22,13 @@ from = "now-9m"
 index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Network Watcher Deletion"
+name = "Azure VNet Network Watcher Deleted"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Azure Network Watcher Deletion
+### Investigating Azure VNet Network Watcher Deleted
 
 Azure Network Watcher is a vital tool for monitoring and diagnosing network issues within Azure environments. It provides insights and logging capabilities crucial for maintaining network security. Adversaries may delete Network Watchers to disable these monitoring functions, thereby evading detection. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, flagging successful attempts as potential security threats.