[New Rule] Entra ID Protection Admin Confirmed Compromise #5186
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*Issue link(s)*: * #5185 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a specific detection rule for admin confirmed compromise by Entra ID protection. Relates to BBR rule `Microsoft Entra ID Protection - Risk Detections`. Please see related issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE serverless stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
terrancedejesus
added
Integration: Azure
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
terrancedejesus
requested review from
w0rk3r,
DefSecSentinel,
imays11,
Samirbous and
Aegrah
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue link(s):
Summary - What I changed
Adds a specific detection rule for admin confirmed compromise by Entra ID protection. Relates to BBR rule
Microsoft Entra ID Protection - Risk Detections. Please see related issue for more details.How To Test
Query can be used in TRADE serverless stack.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist