Closed BIitzkrieg closed 2 days ago
Welcome @BIitzkrieg :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives
or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
Thanks for the contribution. I modified the rule a bit to use correct fields. You can check it in #4888 Just note that i'm not cloud nor an entra expert. I used the linked tweet and did some extra research to make sure its as accurate as possible. If you or a future reader find an issue. Please don't hesitate to fix it.
Description of the Idea of the Rule
Analytic that detects when an account dumps the LAPS password via Entra ID.
Public References / Example Event Log
[Additional references and logs if possible to ease the process of creating the rule] https://twitter.com/NathanMcNulty/status/1785051227568632263
Detection Logic: