Closed terrancedejesus closed 4 weeks ago
These guidelines serve as a reminder set of considerations when tuning an existing rule.
updated_date
matches the date of tuning PR merged.min_stack_version
should support the widest stack versions.name
and description
should be descriptive and not include typos.query
should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.lgtm. any thought on a setup guide?
@Mikaayenson great question and thanks for taking a look. Both rules link to the Azure integration, which has it's own setup and configuration documentation. Ref - https://www.elastic.co/docs/current/integrations/azure
There are no special configurations that we did to gain visibility into these actions as they are the default Entra ID logs that stream to the Azure event hub. If we want to replicate steps from the integration into rules, my questions would be:
Happy to do either, but for these specifically I am in favor of leaning on the Azure integration docs as we do no special configuration setup outside of that.
e want to replicate steps from the integration into rules, my questions would be:
1.
Makes sense. I agree. We can leave as-is then. Im also wondering if we should add the link to the references or something, but maybe its already assumed that you should have followed those steps before using the rule.
Makes sense. I agree. We can leave as-is then. Im also wondering if we should add the link to the references or something, but maybe its already assumed that you should have followed those steps before using the rule.
I believe that is the purpose of related_integrations
being shipped with the rules, so that it is a bit more autonomous.
Pull Request
Issue link(s):
Summary - What I changed
The following changes have been made as a result of community slack thread.
Potential Password Spraying of Microsoft 365 User Accounts
: This rule's query logic overlaps withAttempts to Brute Force a Microsoft 365 User Account
, however is a threshold rule. With ES|QL we can uses theSTATS
command andCOUNT()
function to accomplish the same anomaly detection.Attempts to Brute Force a Microsoft 365 User Account
has been tuned to count the number of sources for each failed login.Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
Note: For the Azure rule, we should update the telemetry filterlist and monitor
azure.signinlogs.properties.status.error_code
for tuning. This will be the most concrete way to remove false-positives and focus solely on brute force related error codes that would generate, however, at this time there are too many plausible error codes to scope for this PR.How To Test
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist