Add monitoring for cloud break glass accounts

Bert-JanP / Hunting-Queries-Detection-Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

https://kqlquery.com

BSD 3-Clause "New" or "Revised" License

1.14k stars 213 forks source link

Add monitoring for cloud break glass accounts #40

Closed erikgruetter closed 3 months ago

erikgruetter commented 3 months ago

Hey there This detection rule would be able to detect if any activity is performed from a cloud break glass account. this helps to monitor any activities performed by these accounts.

Bert-JanP commented 3 months ago

Hi, thank you for the request. Can you change the Sentinel query to match the tables available in Sentinel?

erikgruetter commented 3 months ago

@Bert-JanP sorry, I thought the tables were available in Sentinel too from my research. I have now removed the Sentinel Query (at the moment I don't have access to a Sentinel Environment).

Bert-JanP commented 3 months ago

No problem at all! I will add the Sentinel table in their with the same logic once I return from the EU Cloud Summit. Thanks for this addition!