OGSteve
commented
6 months ago This is denied as the base case needs validity, Azure has a number of built-in roles and we should not monitor for the sake of monitoring but base our signatures on real TTPs.
azure-eventhub.rules&msapi-azuread.rules Created rules to detect more privileged roles being added to a user within Azure AD
aws-guardduty.rules Added SRCIP parsing for rule 5010391
.last_used_sid Updated SID for Normal Rule