briandelmsft / SentinelAutomationModules

The Microsoft Sentinel Triage AssistanT (STAT) enables easy to create incident triage automation in Microsoft Sentinel
MIT License
216 stars 59 forks source link

AAD SignIns Insights #210

Open piaudonn opened 2 years ago

piaudonn commented 2 years ago

I wonder if there would be an interest for such a module. It's essentially a similar concept of what we have for analysts in the entity page available for automation and a bit of what we have in UEBA.

Takes a user and return stats such as:

If there is a cloud-logon-session present in the entities (case of an AAD Protection alert), return all the info about this particular login.

That last one maybe could be added to the AAD Risk Module instead.

briandelmsft commented 2 years ago

I like the idea, would this be a new module or perhaps an extension to the capabilities of the AAD Risks? It may make it too complex though if we add it... not sure off hand.

One issue, the cloud-logon-session is not passed from the incident trigger so you have to go back into SecurityAlerts to get it.... this is one of the reasons for #205 so you can use the KQL module to lookup the incident easily and work from there

piaudonn commented 2 years ago

Maybe also return a table of last successfull access per app?

briandelmsft commented 2 years ago

possibilities to include:

piaudonn commented 2 years ago

(although we would need to define what baseline could be used to determine out of character behaviors)