Setup and documented an Azure Lab to use for management, adversary simulation and more. Details are in a private Elastic document for now.
Reviewed existing rules' queries and field names filtered on to make sure these fields did not change on Microsoft Azure's side where we would need to accommodate accordingly. Of these no changes were needed to existing rules or added to non-ecs schema.
From testing, we identified several new rules that will be scoped for 8.4 release.
Azure DevOps Audit Stream Disabled
Azure AD Role Management Permission Grant
Azure DevOps Personal Access Token (PAT) misuse
Azure DevOps Agent Pool Created Then Deleted
Azure Portal Signin from another Azure Tenant
Azure Active Directory Hybrid Health AD FS New Server
Azure DevOps Variable Secret Not Secured
Kubernetes is still currently being investigated using local testing.
Link to rule
Azure Integration Rules
Rule Review/Tuning
The following rules are older than 90 days and could use review/tuning.
New Rules
The following rules were added for Azure to help with additional coverage to Active Directory.
Potential - May be 8.4 for new rules
Pre-Existing PRs
Review
Reviewing each rule requires the following to ensure it meets expectations.