Azure
Entra id Conditional Access (prefix) analytic rules - NEW
These are new, never seen before. These are CRUD lifecycle of conditional access and other metrics that cyber needs.
Reason for Change(s):
- Sentinel Entra is lacking any type of AR around CA policies.
Version Updated:
- Not applicable, not yet
Testing Completed:
- yes, verified
Checked that the validations are passing and have addressed any issues that are present:
- See guidance below
I see no details on issue and needs to be fixed. Please let me know what needs to be addressed
@Cyberlorians Required property 'requiredDataConnectors' not found in JSON. Please add in Analyatic Rules.
@Cyberlorians relevantTechniques field is missing in multiple Analytic rules.
Thanks! Where exactly does that get added? In the description or when I submit it in the notes? I ask because in the AR itself (in Sentinel) that is not an option
Thank you
@Cyberlorians please refer any analytical rules https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules
Cool. Thanks. I'm on leave. Not sure I can do from a phone.
After I update the files, do o have to make a whole new pull request or no? Sorry, this is the first time doing this.
Is it still azureactivedirectory? Those ARs you showed me are of the old. Because it's Microsoft entra id
What should I put?
Why is it failing now? I'm not following nor is this in any guidance. I'd appreciate an assist, greatly.
@Cyberlorians "Invalid data model. No valid tactic corresponding to the technique T1489 was provided in the tactics field
I updated the one yaml file which has an X to look like this. Is this proper? I.e., it means add a sub technique and NOT leave a parent. I am not so sure this is accurate as some ARs have just a parent and not sub.
tactics:
- DefenseEvasion
relevantTechniques:
- T1562.007