[Feature] Suspicious Behaviour Searches

briandelmsft / SentinelAutomationModules

The Microsoft Sentinel Triage AssistanT (STAT) enables easy to create incident triage automation in Microsoft Sentinel

MIT License

212 stars 58 forks source link

[Feature] Suspicious Behaviour Searches #443

Open briandelmsft opened 5 months ago

briandelmsft commented 5 months ago

I've seen a few common use cases for the KQL module and starting to think we should integrate some into other modules such as

recent device registration
recent mfa registration
recent mailbox rule change
recent password change
etc

@piaudonn thoughts? what else should be on the list? what modules does it go in? make sense?

piaudonn commented 3 months ago

Maybe the occasion to get the #210 addressed at the same time. Recent role assignment. Maybe also merge that with exposure management #453 and return those things as observable that can be used to calculate a custom blast radius (in combo with the scoring module).