[Rule Tuning] Standardize Azure / M365 Rule Contents #5035

terrancedejesus · 2025-08-28T15:55:52Z

Pull Request

Issue link(s):

[Rule Tuning] Standardize Azure / M365 Rule Contents #5033

Summary - What I changed

Standardizes rule contents and file names for Azure & M365 rules.

How To Test

No queries have been adjusted. However, files have been renamed. Diff may appear to be new rules but are just file name changes.

Checklist

Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
Added the meta:rapid-merge label if planning to merge within 24 hours
Secret and sensitive material has been managed correctly
Automated testing was updated or added to match the most common scenarios
Documentation and comments were added for features that require explanation

Contributor checklist

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?

tradebot-elastic · 2025-08-29T14:44:48Z

⛔️ Test failed

Results

❌ M365 Exchange User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mailbox Permission Delegation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Session Reuse to Graph Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invitation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Container Access Level Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Potential User Account Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph First Occurrence of Client Request (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Excessive Single Sign-On Logon Errors (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Network Watcher Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Portal Login from Rare Location (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Brute Force via Entra ID Sign-Ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Suspicious UserLoggedIn via OAuth Code (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow via Auth Broker to DRS (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Portal Logins from Impossible Travel Locations (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Full Network Packet Capture Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID RT to PRT Transition from Same User and Device (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Inbox Rule to Delete or Move Emails (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID EAM Addition or Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mail Access by Unusual ClientAppId (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostic Settings Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DLP Policy Removed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox Audit Logging Bypass (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange New or Modified Federation Domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Signed In from Unusual Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Secret Key Usage by Unusual Identity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PIM Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Excessive Mailbox Items Accessed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ROPC Login Attempt by User Principal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Cloud Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious OAuth User Impersonation Scope Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Management Group Role Assignment (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare Authentication Requirement for Principal User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Access for User Principal via Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Code Auth with Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID First Occurrence of Auth via DeviceCode Protocol (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Resources Resource Group Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Custom Application Interaction Allowed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Entra ID Protection Alerts by User Principal (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Excessive Secret or Key Retrieval (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BloodHound Suite User-Agents Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare App ID for Principal Authentication (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-In Brute Force Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request by Microsoft Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Permissions Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User Principal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Multiple User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-Ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Graph Suspicious Email Access by First-Party Application via Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Addition to PIM User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostics Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 or Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ TeamFiltration User-Agents Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Added by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID User OAuth Redirect to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2025-08-29T14:47:35Z

⛔️ Test failed

Results

❌ M365 Exchange User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mailbox Permission Delegation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Session Reuse to Graph Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invitation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Container Access Level Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Potential User Account Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph First Occurrence of Client Request (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Excessive Single Sign-On Logon Errors (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Network Watcher Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Portal Login from Rare Location (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Brute Force via Entra ID Sign-Ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Suspicious UserLoggedIn via OAuth Code (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow via Auth Broker to DRS (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Portal Logins from Impossible Travel Locations (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Full Network Packet Capture Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID RT to PRT Transition from Same User and Device (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Inbox Rule to Delete or Move Emails (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID EAM Addition or Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mail Access by Unusual ClientAppId (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostic Settings Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DLP Policy Removed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox Audit Logging Bypass (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange New or Modified Federation Domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Signed In from Unusual Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Secret Key Usage by Unusual Identity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PIM Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Excessive Mailbox Items Accessed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ROPC Login Attempt by User Principal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Cloud Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious OAuth User Impersonation Scope Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Management Group Role Assignment (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare Authentication Requirement for Principal User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Access for User Principal via Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Code Auth with Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID First Occurrence of Auth via DeviceCode Protocol (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Resources Resource Group Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Custom Application Interaction Allowed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Entra ID Protection Alerts by User Principal (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Excessive Secret or Key Retrieval (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BloodHound Suite User-Agents Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare App ID for Principal Authentication (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-In Brute Force Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request by Microsoft Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Permissions Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User Principal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Multiple User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-Ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Graph Suspicious Email Access by First-Party Application via Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Addition to PIM User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostics Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 or Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ TeamFiltration User-Agents Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Added by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID User OAuth Redirect to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

w0rk3r · 2025-09-02T13:33:50Z

rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml

 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"


Nice initiative, but what is the reason for dropping this? I think it helps with context, and it is referred by MS always as Microsoft Entra ID, like:

https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id

https://docs.azure.cn/en-us/entra/fundamentals/whatis

https://docs.azure.cn/en-us/entra/fundamentals/create-new-tenant

@w0rk3r - Great question. Here are a few reasons I decided to drop the Microsoft string unless absolutely necessary for context.

Keeping cloud rule names concise. If we enforce putting Microsoft behind every service, the rule names can get long and redundant. Example User Session Reuse from Microsoft Entra ID to Microsoft Graph in Microsoft Azure

Entra ID is unique in itself and there should be no naming conflicts where context may be missed. However, for example, we should use Microsoft Graph as Graph alone can be vague.

We don't use Microsoft Azure everywhere, simple Azure as we assume subjectively users know what Azure is. IMO we can say the same for Entra ID or M365.

Contextually the full product or service name should be throughout the rule contents itself. We fully say "Microsoft Entra ID", etc. in the description, investigation guides, tags, etc. so it is not missing.

Honestly, if we don't care too much about redundancy or length, I dont have a strong judgment against using the full service/product naming.

Makes perfect sense, I think it is positive ++

tradebot-elastic · 2025-09-02T13:39:28Z

⛔️ Test failed

Results

❌ M365 Exchange User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mailbox Permission Delegation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Session Reuse to Graph Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invitation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Container Access Level Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Potential User Account Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph First Occurrence of Client Request (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Excessive Single Sign-On Logon Errors (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Network Watcher Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Brute Force via Entra ID Sign-Ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Suspicious UserLoggedIn via OAuth Code (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow via Auth Broker to DRS (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Full Network Packet Capture Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID RT to PRT Transition from Same User and Device (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Inbox Rule to Delete or Move Emails (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID EAM Addition or Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mail Access by Unusual ClientAppId (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostic Settings Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DLP Policy Removed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox Audit Logging Bypass (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange New or Modified Federation Domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Signed In from Unusual Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Secret Key Usage by Unusual Identity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PIM Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Excessive Mailbox Items Accessed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ROPC Login Attempt by User Principal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Cloud Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious OAuth User Impersonation Scope Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Management Group Role Assignment (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare Authentication Requirement for Principal User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Access for User Principal via Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Code Auth with Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID First Occurrence of Auth via DeviceCode Protocol (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Resources Resource Group Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Custom Application Interaction Allowed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Entra ID Protection Alerts by User Principal (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Excessive Secret or Key Retrieval (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BloodHound Suite User-Agents Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare App ID for Principal Authentication (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-In Brute Force Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request by Microsoft Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Permissions Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Multiple User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-Ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Graph Suspicious Email Access by First-Party Application via Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Addition to PIM User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostics Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 or Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ TeamFiltration User-Agents Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Added by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID User OAuth Redirect to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2025-09-02T13:44:25Z

⛔️ Test failed

Results

❌ M365 Exchange User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mailbox Permission Delegation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Session Reuse to Graph Access (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 SharePoint Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invitation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Container Access Level Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Potential User Account Brute Force (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph First Occurrence of Client Request (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Excessive Single Sign-On Logon Errors (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Network Watcher Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Brute Force via Entra ID Sign-Ins (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Suspicious UserLoggedIn via OAuth Code (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow via Auth Broker to DRS (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Full Network Packet Capture Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID RT to PRT Transition from Same User and Device (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Inbox Rule to Delete or Move Emails (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID EAM Addition or Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Suspicious Mail Access by Unusual ClientAppId (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostic Settings Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange DLP Policy Removed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Mailbox Audit Logging Bypass (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange New or Modified Federation Domain (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Signed In from Unusual Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Secret Key Usage by Unusual Identity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PIM Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Excessive Mailbox Items Accessed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ AKS Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ROPC Login Attempt by User Principal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious Cloud Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID OAuth Phishing via Visual Studio Code Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Suspicious OAuth User Impersonation Scope Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Management Group Role Assignment (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare Authentication Requirement for Principal User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Access for User Principal via Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Code Auth with Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID First Occurrence of Auth via DeviceCode Protocol (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Resources Resource Group Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Teams Custom Application Interaction Allowed (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Multiple Entra ID Protection Alerts by User Principal (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Key Vault Excessive Secret or Key Retrieval (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ BloodHound Suite User-Agents Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Rare App ID for Principal Authentication (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-In Brute Force Activity (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request by Microsoft Auth Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Malware Filter Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Blob Storage Permissions Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID Multiple User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ VNet Firewall Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Event Hub Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-Ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Graph Suspicious Email Access by First-Party Application via Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Addition to PIM User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Diagnostics Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 or Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ TeamFiltration User-Agents Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Added by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Entra ID User OAuth Redirect to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 Exchange Transport Rule Creation (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2025-09-02T19:15:22Z

⛔️ Test failed

Results

❌ Microsoft 365 Security Compliance User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Email Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Illicit Consent Grant by Rare Client and User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox High-Risk Permission Delegated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 SharePoint Malware File Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invited (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Visual Studio Code to Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Blob Storage Container Access Level Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID User Brute Force Attempt (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mail Flow Transport Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request User Impersonation by Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Excessive SSO Login Errors Reported (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Network Watcher Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Portal Login (Atypical Travel) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Brute Force Attempted (Entra ID Sign-ins) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by Rare Client to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Portal Login (Impossible Travel) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Full Network Packet Capture Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempted (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Inbox Phishing Evasion Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Accessed by Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Settings Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Threat Intelligence Signal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange DLP Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Audit Logging Bypass Added (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Federated Domain Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In with Rare Registered Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Secret Key Usage First Occurrence (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Registered Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Items Accessed Excessively (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Registration Detected (ROADtools) (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by Visual Studio Code Client to Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation by Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Management Group Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In with Rare Authentication Type (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Accessed by Rare User with Microsoft Authentication Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Email Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Resource Group Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams Custom Application Interaction Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection Alerts for User Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-ins BloodHound Suite User-Agent Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-in with Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Malware Filter Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In Brute Force Attempted (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request from Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Malware Filter Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Blob Storage Permissions Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Firewall Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request Email Access by User with Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 or Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-ins TeamFiltration User-Agent Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Created by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by User Sign-in to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mail Flow Transport Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2025-09-03T17:50:36Z

⛔️ Test failed

Results

❌ Microsoft 365 Security Compliance User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Email Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Illicit Consent Grant by Rare Client and User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox High-Risk Permission Delegated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 SharePoint Malware File Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invited (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Visual Studio Code to Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Blob Storage Container Access Level Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID User Brute Force Attempt (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mail Flow Transport Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request User Impersonation by Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Excessive SSO Login Errors Reported (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Network Watcher Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Portal Login (Atypical Travel) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Brute Force Attempted (Entra ID Sign-ins) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by Rare Client to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Portal Login (Impossible Travel) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Full Network Packet Capture Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempted (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Inbox Phishing Evasion Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Accessed by Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Settings Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Threat Intelligence Signal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange DLP Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Audit Logging Bypass Added (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Federated Domain Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In with Rare Registered Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Secret Key Usage First Occurrence (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Registered Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Items Accessed Excessively (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Registration Detected (ROADtools) (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by Visual Studio Code Client to Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation by Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Management Group Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In with Rare Authentication Type (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Accessed by Rare User with Microsoft Authentication Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Email Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Resource Group Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams Custom Application Interaction Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection Alerts for User Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-ins BloodHound Suite User-Agent Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-in with Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Malware Filter Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In Brute Force Attempted (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request from Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Malware Filter Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Blob Storage Permissions Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Firewall Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request Email Access by User with Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ M365 or Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-ins TeamFiltration User-Agent Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Created by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by User Sign-in to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mail Flow Transport Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

tradebot-elastic · 2025-09-03T17:55:11Z

⛔️ Test failed

Results

❌ Microsoft 365 Security Compliance User Restricted from Sending Email (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Email Safe Attachment Rule Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - Sign-in Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Firewall Frontdoor WAF Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Illicit Consent Grant by Rare Client and User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox High-Risk Permission Delegated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 SharePoint Malware File Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 OneDrive Excessive File Downloads with OAuth Token (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Guest User Invited (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Visual Studio Code to Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Application Credential Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Illicit Consent Grant via Registered Application (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Storage Account Key Regenerated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Blob Storage Container Access Level Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk User Sign-in Heuristic (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID User Brute Force Attempt (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mail Flow Transport Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams External Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request User Impersonation by Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Excessive Account Lockouts Detected (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Excessive SSO Login Errors Reported (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Network Watcher Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Portal Login (Atypical Travel) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Brute Force Attempted (Entra ID Sign-ins) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by Rare Client to Microsoft Graph (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS) (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID High Risk Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Portal Login (Impossible Travel) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Service Principal Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Full Network Packet Capture Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA TOTP Brute Force Attempted (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Inbox Phishing Evasion Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID External Authentication Methods (EAM) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Accessed by Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OIDC Discovery URL Modified (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection - Risk Detection - User Risk (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange DKIM Signing Configuration Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Settings Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Mass Download by a Single User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Email Reported by User as Malware or Phish (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams Guest Access Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Compute VM Command Execution (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Threat Intelligence Signal (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange DLP Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Audit Logging Bypass Added (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Federated Domain Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Potential Ransomware Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In with Rare Registered Device (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Secret Key Usage First Occurrence (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Added as Registered Application Owner (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Privileged Identity Management (PIM) Role Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mailbox Items Accessed Excessively (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Pods Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID Global Administrator Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Kubernetes Services (AKS) Kubernetes Events Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth ROPC Grant Login Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Elevated Access to User Access Administrator (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Runbook Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Device Registration Detected (ROADtools) (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by Visual Studio Code Client to Microsoft Graph (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth User Impersonation by Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Anti-Phish Rule Modification (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Management Group Role Assigned (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Impossible Travel Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In with Rare Authentication Type (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID SharePoint Accessed by Rare User with Microsoft Authentication Broker Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID PowerShell Sign-in (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Email Safe Link Policy Disabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID OAuth Device Code Grant by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Security Compliance Unusual Volume of File Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Authorization Rule Created or Updated (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Resource Group Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 OneDrive Malware File Upload (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Teams Custom Application Interaction Enabled (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Conditional Access Policy (CAP) Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Protection Alerts for User Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Key Vault Excessive Secret or Key Retrieved (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-ins BloodHound Suite User-Agent Detected (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-in with Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Malware Filter Rule Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Reported Suspicious Activity (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID User Sign-In Brute Force Attempted (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID ADRS Token Request from Microsoft Authentication Broker (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Anti-Phish Policy Deletion (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Malware Filter Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Blob Storage Permissions Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID MFA Disabled for User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID User Account Lockouts (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Account Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure VNet Firewall Policy Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Event Hub Deleted (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Concurrent Sign-ins with Suspicious Properties (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft Graph Request Email Access by User with Rare Client (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Automation Webhook Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Inbox Forwarding Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Global Administrator Role Assigned (PIM User) (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Azure Diagnostic Settings Alert Suppression Rule Created or Modified (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-in from a Suspicious Source (esql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Sign-ins TeamFiltration User-Agent Detected (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Entra ID Service Principal Credentials Created by Rare User (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Entra ID OAuth Flow by User Sign-in to Device Registration (eql)
- coverage_issue: no_rta
- stack_validation_failed: no_rta
❌ Microsoft 365 Exchange Mail Flow Transport Rule Created (kuery)
- coverage_issue: no_rta
- stack_validation_failed: no_rta

botelastic · 2025-11-02T18:54:29Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic · 2025-11-09T19:54:32Z

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

initial adjustments to Azure ruleset

35553e8

terrancedejesus linked an issue Aug 28, 2025 that may be closed by this pull request

[Rule Tuning] Standardize Azure / M365 Rule Contents #5033

Closed

terrancedejesus added 2 commits August 28, 2025 14:21

updated azure tags

9a76608

updated m365 rules

1f3e5c2

removed deprecated rule change

d481dad

terrancedejesus marked this pull request as ready for review September 2, 2025 13:27

terrancedejesus marked this pull request as draft September 2, 2025 13:27

github-actions bot added the backport: auto label Sep 2, 2025

resolving conflicts

29b3cb7

w0rk3r reviewed Sep 2, 2025

View reviewed changes

resolving conflicts

64a1d8b

resolving conflicts

78476c3

updated rule names

2953fdd

updated tags, rules names

2ec97bb

updated name and tags

12eef14

botelastic bot added the stale 60 days of inactivity label Nov 2, 2025

botelastic bot closed this Nov 9, 2025

w0rk3r reopened this Nov 9, 2025

botelastic bot removed the stale 60 days of inactivity label Nov 9, 2025

github-actions bot deployed to docs-preview November 9, 2025 20:24 View deployment

w0rk3r added the backlog label Nov 9, 2025

Mikaayenson assigned terrancedejesus Dec 4, 2025

[Rule Tuning] Standardize Azure / M365 Rule Contents #5035

Are you sure you want to change the base?

[Rule Tuning] Standardize Azure / M365 Rule Contents #5035

Uh oh!

Conversation

terrancedejesus commented Aug 28, 2025

Pull Request

Summary - What I changed

How To Test

Checklist

Contributor checklist

Uh oh!

tradebot-elastic commented Aug 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Aug 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

w0rk3r Sep 2, 2025

Choose a reason for hiding this comment

Uh oh!

terrancedejesus Sep 2, 2025

Choose a reason for hiding this comment

Uh oh!

w0rk3r Sep 2, 2025

Choose a reason for hiding this comment

Uh oh!

tradebot-elastic commented Sep 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Sep 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Sep 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Sep 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

tradebot-elastic commented Sep 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

botelastic bot commented Nov 2, 2025

Uh oh!

botelastic bot commented Nov 9, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

tradebot-elastic commented Aug 29, 2025 •

edited

Loading

tradebot-elastic commented Aug 29, 2025 •

edited

Loading

tradebot-elastic commented Sep 2, 2025 •

edited

Loading

tradebot-elastic commented Sep 2, 2025 •

edited

Loading

tradebot-elastic commented Sep 2, 2025 •

edited

Loading

tradebot-elastic commented Sep 3, 2025 •

edited

Loading

tradebot-elastic commented Sep 3, 2025 •

edited

Loading