Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Updates for first cred added, performance, cleanup, entity addition

Open treyperrone opened this issue 2 years ago • 6 comments

Required items, please complete

Change(s):

  • Removed OperationName search for add service principal as brings more results in to filter on and not needed, where old_value_set == "[]" looks for empty prior value and restricts to FIRST password or certificate added only.
  • Removed comment for code removed in prior commit | PR
  • Add entity for SPN/App Registration name

Reason for Change(s):

  • OperationName change results in less results to filter on, increases performance slightly
  • Remove comment since code was removed prior, prevent confusion
  • Entity added for Analyst easier to see, also populate the investigation graph/gui

Version Updated:

  • Yes

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

treyperrone avatar Apr 04 '23 16:04 treyperrone

Looking into this

v-rbajaj avatar Apr 12 '23 04:04 v-rbajaj

Hi @v-rbajaj, please provide your feedback on this. Thanks

v-atulyadav avatar Apr 13 '23 15:04 v-atulyadav

Hi @v-rbajaj, please provide your feedback on this. Thanks

v-atulyadav avatar Apr 19 '23 03:04 v-atulyadav

Looking into this

v-rbajaj avatar Apr 19 '23 09:04 v-rbajaj

Hi @treyperrone, can you please look into Devika's comment?

v-rbajaj avatar Apr 28 '23 04:04 v-rbajaj

Hi @treyperrone, please act on @devikamehra's comment. Thanks

v-atulyadav avatar May 03 '23 04:05 v-atulyadav

Hi @treyperrone, request you to please look into @devikamehra's comment.

v-rbajaj avatar May 05 '23 05:05 v-rbajaj

'where old_value_set == "[]"' looks for an empty value being populated with a non-empty.

From our LAWs datasets, this doesn't appear to be possible in the Azure Portal at the initial SPN creation time.

Looking at operation 'Add Service Principal' is not applicable; an update to that value empty or even a rotation appears to occur only under the operation 'Certificates and secrets management'

Is there some testing scenario from your side I could replicate here?

treyperrone avatar May 09 '23 03:05 treyperrone

'where old_value_set == "[]"' looks for an empty value being populated with a non-empty.

From our LAWs datasets, this doesn't appear to be possible in the Azure Portal at the initial SPN creation time.

Looking at operation 'Add Service Principal' is not applicable; an update to that value empty or even a rotation appears to occur only under the operation 'Certificates and secrets management'

Is there some testing scenario from your side I could replicate here?

@treyperrone For non-empty old_value_set, there is another detection already in place. Does that solve your problem?

devikamehra avatar May 16 '23 13:05 devikamehra

'where old_value_set == "[]"' looks for an empty value being populated with a non-empty. From our LAWs datasets, this doesn't appear to be possible in the Azure Portal at the initial SPN creation time. Looking at operation 'Add Service Principal' is not applicable; an update to that value empty or even a rotation appears to occur only under the operation 'Certificates and secrets management' Is there some testing scenario from your side I could replicate here?

@treyperrone For non-empty old_value_set, there is another detection already in place. Does that solve your problem?

I dont understand what you mean at all. I dont have a problem to solve here.

The current rule is pulling more data in at the first couple steps as I described. This data is unnecessary which makes the query less efficient based on the testing we did since it will be discarded when it looks for the non-empty value.

On other tickets Microsoft has asked us to provide data/logs/export. Can you please provide the data showing where this is needed? Maybe our testing is not extensive enough.

treyperrone avatar May 16 '23 14:05 treyperrone

'where old_value_set == "[]"' looks for an empty value being populated with a non-empty. From our LAWs datasets, this doesn't appear to be possible in the Azure Portal at the initial SPN creation time. Looking at operation 'Add Service Principal' is not applicable; an update to that value empty or even a rotation appears to occur only under the operation 'Certificates and secrets management' Is there some testing scenario from your side I could replicate here?

@treyperrone For non-empty old_value_set, there is another detection already in place. Does that solve your problem?

I dont understand what you mean at all. I dont have a problem to solve here.

The current rule is pulling more data in at the first couple steps as I described. This data is unnecessary which makes the query less efficient based on the testing we did since it will be discarded when it looks for the non-empty value.

On other tickets Microsoft has asked us to provide data/logs/export. Can you please provide the data showing where this is needed? Maybe our testing is not extensive enough.

@treyperrone I internally checked with the team and there are no recent examples of data supporting "Add service principal". I will get this PR go through for now and can revisit in future.

devikamehra avatar May 21 '23 18:05 devikamehra